Analysis
-
max time kernel
161s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 03:05
Behavioral task
behavioral1
Sample
199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe
-
Size
224KB
-
MD5
3d87ad286ea6ba21c992de2aeefef580
-
SHA1
6eb4f26558fe718c577f15af7c07aa2b28a162f2
-
SHA256
199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e
-
SHA512
c25f0cd781280ca839932fef073facb83719fa4861ae771efbf385ee9a78bc3ca02a26378818a6b40fe5e0cf5d597cd5ddcdab799e02573f5739daa19f01c237
-
SSDEEP
6144:af36DoS5uFULGySd6Rp+PQtWvWFmF4GyfNKwBAA:aaoSkXuWvAmFHyfXBF
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
resource yara_rule behavioral1/memory/1720-66-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/804-70-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 664 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\efsuings = "C:\\Windows\\system32\\drvigmp2.exe" 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drvigmp2.exe 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe File opened for modification C:\Windows\SysWOW64\drvigmp2.exe 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1720 set thread context of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 804 set thread context of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: 33 568 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 568 AUDIODG.EXE Token: 33 568 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 568 AUDIODG.EXE Token: SeShutdownPrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 1720 wrote to memory of 804 1720 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 28 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 1636 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 29 PID 804 wrote to memory of 664 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 30 PID 804 wrote to memory of 664 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 30 PID 804 wrote to memory of 664 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 30 PID 804 wrote to memory of 664 804 199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe 30 PID 664 wrote to memory of 2020 664 cmd.exe 34 PID 664 wrote to memory of 2020 664 cmd.exe 34 PID 664 wrote to memory of 2020 664 cmd.exe 34 PID 664 wrote to memory of 2020 664 cmd.exe 34 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2020 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe"C:\Users\Admin\AppData\Local\Temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\users\admin\appdata\local\temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe"c:\users\admin\appdata\local\temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\appdata\local\temp\7114238.bat" "c:\users\admin\appdata\local\temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "c:\users\admin\appdata\local\temp\199903a15e0d8cf4b14dd0a1a0c14c473a43e7d9f939e639c0cf898d1f3b0b0e.exe"4⤵
- Views/modifies file attributes
PID:2020
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4441⤵
- Suspicious use of AdjustPrivilegeToken
PID:568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD51a703f06dd32dd6a486bd7311c14d897
SHA11aeafb16d5f2e581bfd7e66bd057f992792c3655
SHA256a125b97eb835215a3dc087ac7bf3e2e599f0847cab2e148b18382134b0c5c797
SHA5121712085c63e01c976eea3a69fc1b8d2c27d0628686e7b0318fc86ad7ce25ef5a91c4a2c8b9857f900422c5ec1d05017eccebee6fcda227ae037b3cc01c6ae3e8