Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 01:54
Behavioral task
behavioral1
Sample
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
Resource
win10v2004-20221111-en
General
-
Target
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe
-
Size
900KB
-
MD5
353363e2a1f090ed0936349a8b64abb0
-
SHA1
c6d1690789e404a9b4d096c5746e0891697d3ce4
-
SHA256
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3
-
SHA512
4578ab61e7c7d55aec016287951319a1e364983ce1a8f740ebf100c9462652885d0eab866d379d62a0b409eb2bb3f790d8c8bcaa6028c44553c6eb4c82db9f65
-
SSDEEP
24576:jDKIe5GiyseoVIAmBpVKHu0Mu9Xo20VGLVP5:jyGkrVIAmKZV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SO2NNNU.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDSVC\\MSDSVC3.exe" SO2NNNU.EXE -
Executes dropped EXE 2 IoCs
Processes:
SO2NNNU.EXEMSDSVC3.exepid process 1016 SO2NNNU.EXE 1088 MSDSVC3.exe -
Loads dropped DLL 4 IoCs
Processes:
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exeSO2NNNU.EXEpid process 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe 1016 SO2NNNU.EXE 1016 SO2NNNU.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SO2NNNU.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service = "C:\\Users\\Admin\\AppData\\Roaming\\MSDSVC\\MSDSVC3.exe" SO2NNNU.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
SO2NNNU.EXEMSDSVC3.exedescription pid process Token: SeIncreaseQuotaPrivilege 1016 SO2NNNU.EXE Token: SeSecurityPrivilege 1016 SO2NNNU.EXE Token: SeTakeOwnershipPrivilege 1016 SO2NNNU.EXE Token: SeLoadDriverPrivilege 1016 SO2NNNU.EXE Token: SeSystemProfilePrivilege 1016 SO2NNNU.EXE Token: SeSystemtimePrivilege 1016 SO2NNNU.EXE Token: SeProfSingleProcessPrivilege 1016 SO2NNNU.EXE Token: SeIncBasePriorityPrivilege 1016 SO2NNNU.EXE Token: SeCreatePagefilePrivilege 1016 SO2NNNU.EXE Token: SeBackupPrivilege 1016 SO2NNNU.EXE Token: SeRestorePrivilege 1016 SO2NNNU.EXE Token: SeShutdownPrivilege 1016 SO2NNNU.EXE Token: SeDebugPrivilege 1016 SO2NNNU.EXE Token: SeSystemEnvironmentPrivilege 1016 SO2NNNU.EXE Token: SeChangeNotifyPrivilege 1016 SO2NNNU.EXE Token: SeRemoteShutdownPrivilege 1016 SO2NNNU.EXE Token: SeUndockPrivilege 1016 SO2NNNU.EXE Token: SeManageVolumePrivilege 1016 SO2NNNU.EXE Token: SeImpersonatePrivilege 1016 SO2NNNU.EXE Token: SeCreateGlobalPrivilege 1016 SO2NNNU.EXE Token: 33 1016 SO2NNNU.EXE Token: 34 1016 SO2NNNU.EXE Token: 35 1016 SO2NNNU.EXE Token: SeIncreaseQuotaPrivilege 1088 MSDSVC3.exe Token: SeSecurityPrivilege 1088 MSDSVC3.exe Token: SeTakeOwnershipPrivilege 1088 MSDSVC3.exe Token: SeLoadDriverPrivilege 1088 MSDSVC3.exe Token: SeSystemProfilePrivilege 1088 MSDSVC3.exe Token: SeSystemtimePrivilege 1088 MSDSVC3.exe Token: SeProfSingleProcessPrivilege 1088 MSDSVC3.exe Token: SeIncBasePriorityPrivilege 1088 MSDSVC3.exe Token: SeCreatePagefilePrivilege 1088 MSDSVC3.exe Token: SeBackupPrivilege 1088 MSDSVC3.exe Token: SeRestorePrivilege 1088 MSDSVC3.exe Token: SeShutdownPrivilege 1088 MSDSVC3.exe Token: SeDebugPrivilege 1088 MSDSVC3.exe Token: SeSystemEnvironmentPrivilege 1088 MSDSVC3.exe Token: SeChangeNotifyPrivilege 1088 MSDSVC3.exe Token: SeRemoteShutdownPrivilege 1088 MSDSVC3.exe Token: SeUndockPrivilege 1088 MSDSVC3.exe Token: SeManageVolumePrivilege 1088 MSDSVC3.exe Token: SeImpersonatePrivilege 1088 MSDSVC3.exe Token: SeCreateGlobalPrivilege 1088 MSDSVC3.exe Token: 33 1088 MSDSVC3.exe Token: 34 1088 MSDSVC3.exe Token: 35 1088 MSDSVC3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 968 DllHost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exeSO2NNNU.EXEcmd.exedescription pid process target process PID 1992 wrote to memory of 1016 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 1992 wrote to memory of 1016 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 1992 wrote to memory of 1016 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 1992 wrote to memory of 1016 1992 6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe SO2NNNU.EXE PID 1016 wrote to memory of 1088 1016 SO2NNNU.EXE MSDSVC3.exe PID 1016 wrote to memory of 1088 1016 SO2NNNU.EXE MSDSVC3.exe PID 1016 wrote to memory of 1088 1016 SO2NNNU.EXE MSDSVC3.exe PID 1016 wrote to memory of 1088 1016 SO2NNNU.EXE MSDSVC3.exe PID 1016 wrote to memory of 1780 1016 SO2NNNU.EXE cmd.exe PID 1016 wrote to memory of 1780 1016 SO2NNNU.EXE cmd.exe PID 1016 wrote to memory of 1780 1016 SO2NNNU.EXE cmd.exe PID 1016 wrote to memory of 1780 1016 SO2NNNU.EXE cmd.exe PID 1780 wrote to memory of 616 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 616 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 616 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 616 1780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe"C:\Users\Admin\AppData\Local\Temp\6cde6ee1b9c49e50d2730dc72111f4ed07e6cecca1ea447085a4707509c427b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exe"C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXE"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IMG_0107.JPGFilesize
197KB
MD5d220784f629aac587cb1d81527c9fe64
SHA1ad448315bf7d7d046fe4eddd5923e47d6bd4c354
SHA25613dd6e5ba7c193eebda4b4f100fe1c9a2e23e8fd83cb0a0230ecc325a17c70ca
SHA5122e779f06b621a19bc6a4be478ef54cb7d3efc561b127e121100893d7dafa19f552b9d533f88f36c76a28900e64c1c3fd1e173223ccb3c110f1cfa4fbbb5ad52e
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
C:\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
C:\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exeFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
\Users\Admin\AppData\Local\Temp\SO2NNNU.EXEFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exeFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
\Users\Admin\AppData\Roaming\MSDSVC\MSDSVC3.exeFilesize
648KB
MD5f3c4f63451faf149e750adc29612bd12
SHA1472040a80c2deb5d47e1a9b338074feefb6513fe
SHA2568baffedce5b458ac33e5084dd8262a8a74e8c02963458748ebd0aac40a533a44
SHA51246f2f61d268b84bac9d81efabd45003fbe16173c4ce0440b505ff62c97866e69dcb8ca643257b8db3fac83232a4939736677ababbcbeb0c5ca529974fdb0c308
-
memory/616-68-0x0000000000000000-mapping.dmp
-
memory/1016-58-0x0000000000000000-mapping.dmp
-
memory/1088-64-0x0000000000000000-mapping.dmp
-
memory/1780-67-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB