Analysis
-
max time kernel
26s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 04:29
Static task
static1
Behavioral task
behavioral1
Sample
cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
Resource
win10v2004-20220901-en
General
-
Target
cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
-
Size
593KB
-
MD5
67aca6a4e6a6bff00b3f6868671d443a
-
SHA1
b4eeee56d52d4d64248b5cdbcc933f3eb5b4e371
-
SHA256
cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62
-
SHA512
beb96c2c06f54b5f1186ac0b5906717eb96760eaca9f265a35f0176dd77d845c5ad5beff5cc2d37f22243b7b5488371f20b3da6a16a3c233d34a9074232089aa
-
SSDEEP
12288:VuBSP/amC/BJSpc/aaT9/gur79Yq63kfydqAKTE1qH:sA6/Bwy/aI/gK79YH0FAgxH
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
BqjnC0gFVHRul8.exewin.exewio.exewiq.exepid process 864 BqjnC0gFVHRul8.exe 820 win.exe 4288 wio.exe 5016 wiq.exe -
Processes:
resource yara_rule behavioral2/memory/3084-162-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3084-165-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3084-166-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3084-167-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3880 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fgideburimuq = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\maLAp10.dll\",Startup" rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
win.exedescription ioc process File opened for modification \??\physicaldrive0 win.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wiq.exedescription pid process target process PID 5016 set thread context of 3084 5016 wiq.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
BqjnC0gFVHRul8.exesvchost.exepid process 864 BqjnC0gFVHRul8.exe 864 BqjnC0gFVHRul8.exe 3084 svchost.exe 3084 svchost.exe 864 BqjnC0gFVHRul8.exe 864 BqjnC0gFVHRul8.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe 3084 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
win.exedescription pid process Token: SeShutdownPrivilege 820 win.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
BqjnC0gFVHRul8.exewiq.exepid process 864 BqjnC0gFVHRul8.exe 5016 wiq.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exewio.exewiq.exedescription pid process target process PID 848 wrote to memory of 864 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe BqjnC0gFVHRul8.exe PID 848 wrote to memory of 864 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe BqjnC0gFVHRul8.exe PID 848 wrote to memory of 864 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe BqjnC0gFVHRul8.exe PID 848 wrote to memory of 820 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe win.exe PID 848 wrote to memory of 820 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe win.exe PID 848 wrote to memory of 820 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe win.exe PID 848 wrote to memory of 4288 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wio.exe PID 848 wrote to memory of 4288 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wio.exe PID 848 wrote to memory of 4288 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wio.exe PID 848 wrote to memory of 5016 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wiq.exe PID 848 wrote to memory of 5016 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wiq.exe PID 848 wrote to memory of 5016 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe wiq.exe PID 848 wrote to memory of 1732 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe cmd.exe PID 848 wrote to memory of 1732 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe cmd.exe PID 848 wrote to memory of 1732 848 cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe cmd.exe PID 4288 wrote to memory of 3880 4288 wio.exe rundll32.exe PID 4288 wrote to memory of 3880 4288 wio.exe rundll32.exe PID 4288 wrote to memory of 3880 4288 wio.exe rundll32.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe PID 5016 wrote to memory of 3084 5016 wiq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe"C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\BqjnC0gFVHRul8.exeBqjnC0gFVHRul8.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\win.exewin.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\wiq.exewiq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\wio.exewio.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\maLAp10.dll",Startup3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.execmd /c del cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\maLAp10.dllFilesize
103KB
MD519f8a2d4e8270baf8bd5a6086f565e70
SHA1b5a05abe09066906b569f0fadefb00fb567ef547
SHA2562f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50
SHA5128a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63
-
C:\Users\Admin\AppData\Local\maLAp10.dllFilesize
103KB
MD519f8a2d4e8270baf8bd5a6086f565e70
SHA1b5a05abe09066906b569f0fadefb00fb567ef547
SHA2562f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50
SHA5128a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63
-
C:\Users\Admin\BqjnC0gFVHRul8.exeFilesize
148KB
MD5fc8e30e732d9e1483b7d29ea39ad9c15
SHA104215f820a214d11e1dd9a832ac264605cf98604
SHA256c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585
SHA512d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6
-
C:\Users\Admin\BqjnC0gFVHRul8.exeFilesize
148KB
MD5fc8e30e732d9e1483b7d29ea39ad9c15
SHA104215f820a214d11e1dd9a832ac264605cf98604
SHA256c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585
SHA512d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6
-
C:\Users\Admin\win.exeFilesize
172KB
MD516dfe37b77854e727eabedd05239ebee
SHA19218bb944834fb46eb2f04858ada0dacdf821d77
SHA2568ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267
SHA51256c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903
-
C:\Users\Admin\win.exeFilesize
172KB
MD516dfe37b77854e727eabedd05239ebee
SHA19218bb944834fb46eb2f04858ada0dacdf821d77
SHA2568ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267
SHA51256c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903
-
C:\Users\Admin\wio.exeFilesize
103KB
MD5f7756f6980dc23ef661085d6cd999831
SHA1cd77f7a9bc8c058023779a531e2deac8c3241638
SHA25653122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740
SHA512b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df
-
C:\Users\Admin\wio.exeFilesize
103KB
MD5f7756f6980dc23ef661085d6cd999831
SHA1cd77f7a9bc8c058023779a531e2deac8c3241638
SHA25653122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740
SHA512b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df
-
C:\Users\Admin\wiq.exeFilesize
52KB
MD565a849404ffe62e0d2f56d7993f00920
SHA16401a9e92690172958fbf0ee122990479628e92f
SHA256afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50
SHA51299af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38
-
C:\Users\Admin\wiq.exeFilesize
52KB
MD565a849404ffe62e0d2f56d7993f00920
SHA16401a9e92690172958fbf0ee122990479628e92f
SHA256afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50
SHA51299af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38
-
memory/820-163-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/820-134-0x0000000000000000-mapping.dmp
-
memory/820-160-0x0000000002430000-0x0000000002486000-memory.dmpFilesize
344KB
-
memory/820-159-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/820-158-0x0000000002430000-0x0000000002486000-memory.dmpFilesize
344KB
-
memory/820-156-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/820-155-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/864-132-0x0000000000000000-mapping.dmp
-
memory/1732-143-0x0000000000000000-mapping.dmp
-
memory/3084-167-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3084-161-0x0000000000000000-mapping.dmp
-
memory/3084-162-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3084-165-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3084-166-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3880-147-0x0000000000000000-mapping.dmp
-
memory/3880-157-0x0000000001061000-0x000000000106F000-memory.dmpFilesize
56KB
-
memory/3880-152-0x0000000010000000-0x000000001001D000-memory.dmpFilesize
116KB
-
memory/4288-154-0x0000000002021000-0x000000000202F000-memory.dmpFilesize
56KB
-
memory/4288-142-0x0000000010000000-0x000000001001D000-memory.dmpFilesize
116KB
-
memory/4288-138-0x0000000000000000-mapping.dmp
-
memory/5016-141-0x0000000000000000-mapping.dmp