Analysis
-
max time kernel
143s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
Resource
win10v2004-20220901-en
General
-
Target
a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
-
Size
1.1MB
-
MD5
753beed5c8ef36a4f9974bb5ed154c2e
-
SHA1
b88685813f147997e9a39f7771bf4efb8bbbf257
-
SHA256
a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98
-
SHA512
081a5dab5f68aa18d56451d2e3e3011dc89087dd450e4b6617443577658a0985e3e21fd597e015c5c5c6aeebf7a8e38c2a04d3dbf292f4b46ddc49ab42bedcca
-
SSDEEP
24576:JkjHSN59ngsR+PEIzzamL1472ex/Fbl2DPpoUX:JuinF+sIHlDI5YDqu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1744 svchost.exe 1752 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1744 set thread context of 1752 1744 svchost.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2016 reg.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2016 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 27 PID 2040 wrote to memory of 2016 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 27 PID 2040 wrote to memory of 2016 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 27 PID 2040 wrote to memory of 2016 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 27 PID 2040 wrote to memory of 1744 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 29 PID 2040 wrote to memory of 1744 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 29 PID 2040 wrote to memory of 1744 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 29 PID 2040 wrote to memory of 1744 2040 a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe 29 PID 1744 wrote to memory of 1752 1744 svchost.exe 30 PID 1744 wrote to memory of 1752 1744 svchost.exe 30 PID 1744 wrote to memory of 1752 1744 svchost.exe 30 PID 1744 wrote to memory of 1752 1744 svchost.exe 30 PID 1744 wrote to memory of 1752 1744 svchost.exe 30 PID 1744 wrote to memory of 1752 1744 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe"C:\Users\Admin\AppData\Local\Temp\a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
PID:1752
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD517b27756f4fec5d202d660d2caccd7d3
SHA169499864ea1d954b7b7c835bb2fe520249fe145e
SHA25649dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14
SHA5124141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17
-
Filesize
1.1MB
MD517b27756f4fec5d202d660d2caccd7d3
SHA169499864ea1d954b7b7c835bb2fe520249fe145e
SHA25649dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14
SHA5124141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17
-
Filesize
1.1MB
MD517b27756f4fec5d202d660d2caccd7d3
SHA169499864ea1d954b7b7c835bb2fe520249fe145e
SHA25649dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14
SHA5124141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17
-
Filesize
1.1MB
MD517b27756f4fec5d202d660d2caccd7d3
SHA169499864ea1d954b7b7c835bb2fe520249fe145e
SHA25649dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14
SHA5124141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17
-
Filesize
1.1MB
MD517b27756f4fec5d202d660d2caccd7d3
SHA169499864ea1d954b7b7c835bb2fe520249fe145e
SHA25649dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14
SHA5124141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17