Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe
Resource
win10v2004-20220901-en
General
-
Target
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe
-
Size
128KB
-
MD5
18557ef30c2b6532c74712ca0c6b8d30
-
SHA1
219d4c24f6c3d412704bb88e6ee53ccc81cda412
-
SHA256
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812
-
SHA512
91cf614334250cbd1955f2577e8c9992854e2b5effc787d2b79e9afe1f69f48d83728320330d21c17b7249a5a50309cea2b13c7f441a4c9aa5a42429b0a83f7b
-
SSDEEP
3072:EQ1m24hjpYg2C47wRHpv0rZS2jbxWGqt:EQQNbjJmwxAZSbGq
Malware Config
Extracted
tofsee
91.218.38.211
188.130.237.71
185.25.48.10
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rejwbohp.exepid process 1648 rejwbohp.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1008 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exepid process 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\rejwbohp.exe\"" e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rejwbohp.exedescription pid process target process PID 1648 set thread context of 2012 1648 rejwbohp.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exerejwbohp.exepid process 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe 1648 rejwbohp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exerejwbohp.exedescription pid process target process PID 916 wrote to memory of 1648 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe rejwbohp.exe PID 916 wrote to memory of 1648 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe rejwbohp.exe PID 916 wrote to memory of 1648 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe rejwbohp.exe PID 916 wrote to memory of 1648 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe rejwbohp.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 1648 wrote to memory of 2012 1648 rejwbohp.exe svchost.exe PID 916 wrote to memory of 1008 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe cmd.exe PID 916 wrote to memory of 1008 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe cmd.exe PID 916 wrote to memory of 1008 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe cmd.exe PID 916 wrote to memory of 1008 916 e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe"C:\Users\Admin\AppData\Local\Temp\e77e9bd28dfc320d36293519ee10631996af59ccb93bb220b15ea21eb925b812.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\rejwbohp.exe"C:\Users\Admin\rejwbohp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4587.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4587.batFilesize
302B
MD51e289fe8333eb92b7d6e9bf429f19df7
SHA12aa65dfd109e4761320ba77c7ef673ed330ec40f
SHA25681bbedbed2653d500ed3264df40700053b523d39efd99ee14e1c204c88f5e45c
SHA5128189bc3b2e7bd19d2f2ed429901a5c7ebd9af626c40a6c93eb9f579d7c3c08827617be41915e5505971159088db98fb56adb5e5d710153755048e54fe9a89dc3
-
C:\Users\Admin\rejwbohp.exeFilesize
43.1MB
MD5583cc9bbc45f96cf30d2e35d08c86467
SHA1502cb29a461cfe58d9e42a01f9854efd25b804c2
SHA256056e698bd68a5baf58bd2ba6a6ab9f86650aa5110a7095a9eb0678f962713dd4
SHA5124d558e8044e06c1f7cd12e16424666133791fd875bd296f2a59c45752ea19714bd310047404e702a83698d608826c55897c8137f08e85c8274b8899fb65ab553
-
C:\Users\Admin\rejwbohp.exeFilesize
43.1MB
MD5583cc9bbc45f96cf30d2e35d08c86467
SHA1502cb29a461cfe58d9e42a01f9854efd25b804c2
SHA256056e698bd68a5baf58bd2ba6a6ab9f86650aa5110a7095a9eb0678f962713dd4
SHA5124d558e8044e06c1f7cd12e16424666133791fd875bd296f2a59c45752ea19714bd310047404e702a83698d608826c55897c8137f08e85c8274b8899fb65ab553
-
\Users\Admin\rejwbohp.exeFilesize
43.1MB
MD5583cc9bbc45f96cf30d2e35d08c86467
SHA1502cb29a461cfe58d9e42a01f9854efd25b804c2
SHA256056e698bd68a5baf58bd2ba6a6ab9f86650aa5110a7095a9eb0678f962713dd4
SHA5124d558e8044e06c1f7cd12e16424666133791fd875bd296f2a59c45752ea19714bd310047404e702a83698d608826c55897c8137f08e85c8274b8899fb65ab553
-
\Users\Admin\rejwbohp.exeFilesize
43.1MB
MD5583cc9bbc45f96cf30d2e35d08c86467
SHA1502cb29a461cfe58d9e42a01f9854efd25b804c2
SHA256056e698bd68a5baf58bd2ba6a6ab9f86650aa5110a7095a9eb0678f962713dd4
SHA5124d558e8044e06c1f7cd12e16424666133791fd875bd296f2a59c45752ea19714bd310047404e702a83698d608826c55897c8137f08e85c8274b8899fb65ab553
-
memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/916-60-0x0000000000330000-0x0000000000367000-memory.dmpFilesize
220KB
-
memory/916-56-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/916-62-0x0000000000330000-0x0000000000367000-memory.dmpFilesize
220KB
-
memory/916-55-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/916-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1008-75-0x0000000000000000-mapping.dmp
-
memory/1648-59-0x0000000000000000-mapping.dmp
-
memory/1648-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1648-71-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/2012-67-0x00000000000C7860-mapping.dmp
-
memory/2012-74-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB
-
memory/2012-66-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB
-
memory/2012-64-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB
-
memory/2012-78-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB