d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
Size

492KB
MD5

6c5a68c3aba0ddcedd8c5b2cd13b65d0
SHA1

6dd1839a937b966096ffc7202810bd02d49aec55
SHA256

d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07
SHA512

8c10f16cb360a9a0383b5b5928451e9a04d2aa3d874263e8f1fc2cb2c469e14cf96da2aa4bd31de732162425b162c05e1c348bec59ea01e8fe94fb455c9cce73
SSDEEP

12288:NWuYKH78FYmqyg31CVUK2IKhujlY8y0aeqsNYQU6VBaa8AYcwHVVFV:vQqs2qFyBai

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\servercik.exe = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C:\\Users\\Admin\\AppData\\Local\\Temp.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	%tmp%.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe"	%tmp%.exe

Executes dropped EXE 1 IoCs

pid	Process
1452	%tmp%.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\{CD73DAE2-D48F-AE47-B74C-9899CC4F7AEC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe"	%tmp%.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD73DAE2-D48F-AE47-B74C-9899CC4F7AEC}	%tmp%.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD73DAE2-D48F-AE47-B74C-9899CC4F7AEC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe"	%tmp%.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD73DAE2-D48F-AE47-B74C-9899CC4F7AEC}	%tmp%.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000133d3-56.dat	upx
behavioral1/files/0x00080000000133d3-57.dat	upx
behavioral1/files/0x00080000000133d3-59.dat	upx
behavioral1/files/0x00080000000133d3-65.dat	upx
behavioral1/memory/1452-67-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1452-75-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	%tmp%.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe"	%tmp%.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	%tmp%.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\servercik.exe"	%tmp%.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1016	reg.exe
1888	reg.exe
1928	reg.exe
832	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
Token: 1	1452	%tmp%.exe
Token: SeCreateTokenPrivilege	1452	%tmp%.exe
Token: SeAssignPrimaryTokenPrivilege	1452	%tmp%.exe
Token: SeLockMemoryPrivilege	1452	%tmp%.exe
Token: SeIncreaseQuotaPrivilege	1452	%tmp%.exe
Token: SeMachineAccountPrivilege	1452	%tmp%.exe
Token: SeTcbPrivilege	1452	%tmp%.exe
Token: SeSecurityPrivilege	1452	%tmp%.exe
Token: SeTakeOwnershipPrivilege	1452	%tmp%.exe
Token: SeLoadDriverPrivilege	1452	%tmp%.exe
Token: SeSystemProfilePrivilege	1452	%tmp%.exe
Token: SeSystemtimePrivilege	1452	%tmp%.exe
Token: SeProfSingleProcessPrivilege	1452	%tmp%.exe
Token: SeIncBasePriorityPrivilege	1452	%tmp%.exe
Token: SeCreatePagefilePrivilege	1452	%tmp%.exe
Token: SeCreatePermanentPrivilege	1452	%tmp%.exe
Token: SeBackupPrivilege	1452	%tmp%.exe
Token: SeRestorePrivilege	1452	%tmp%.exe
Token: SeShutdownPrivilege	1452	%tmp%.exe
Token: SeDebugPrivilege	1452	%tmp%.exe
Token: SeAuditPrivilege	1452	%tmp%.exe
Token: SeSystemEnvironmentPrivilege	1452	%tmp%.exe
Token: SeChangeNotifyPrivilege	1452	%tmp%.exe
Token: SeRemoteShutdownPrivilege	1452	%tmp%.exe
Token: SeUndockPrivilege	1452	%tmp%.exe
Token: SeSyncAgentPrivilege	1452	%tmp%.exe
Token: SeEnableDelegationPrivilege	1452	%tmp%.exe
Token: SeManageVolumePrivilege	1452	%tmp%.exe
Token: SeImpersonatePrivilege	1452	%tmp%.exe
Token: SeCreateGlobalPrivilege	1452	%tmp%.exe
Token: 31	1452	%tmp%.exe
Token: 32	1452	%tmp%.exe
Token: 33	1452	%tmp%.exe
Token: 34	1452	%tmp%.exe
Token: 35	1452	%tmp%.exe
Token: SeDebugPrivilege	1452	%tmp%.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1452	%tmp%.exe
1452	%tmp%.exe
1452	%tmp%.exe
1452	%tmp%.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1452	2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe	28
PID 2016 wrote to memory of 1452	2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe	28
PID 2016 wrote to memory of 1452	2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe	28
PID 2016 wrote to memory of 1452	2016	d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe	28
PID 1452 wrote to memory of 596	1452	%tmp%.exe	29
PID 1452 wrote to memory of 596	1452	%tmp%.exe	29
PID 1452 wrote to memory of 596	1452	%tmp%.exe	29
PID 1452 wrote to memory of 596	1452	%tmp%.exe	29
PID 1452 wrote to memory of 1884	1452	%tmp%.exe	30
PID 1452 wrote to memory of 1884	1452	%tmp%.exe	30
PID 1452 wrote to memory of 1884	1452	%tmp%.exe	30
PID 1452 wrote to memory of 1884	1452	%tmp%.exe	30
PID 1452 wrote to memory of 1588	1452	%tmp%.exe	33
PID 1452 wrote to memory of 1588	1452	%tmp%.exe	33
PID 1452 wrote to memory of 1588	1452	%tmp%.exe	33
PID 1452 wrote to memory of 1588	1452	%tmp%.exe	33
PID 1452 wrote to memory of 1276	1452	%tmp%.exe	34
PID 1452 wrote to memory of 1276	1452	%tmp%.exe	34
PID 1452 wrote to memory of 1276	1452	%tmp%.exe	34
PID 1452 wrote to memory of 1276	1452	%tmp%.exe	34
PID 596 wrote to memory of 832	596	cmd.exe	37
PID 596 wrote to memory of 832	596	cmd.exe	37
PID 596 wrote to memory of 832	596	cmd.exe	37
PID 596 wrote to memory of 832	596	cmd.exe	37
PID 1276 wrote to memory of 1016	1276	cmd.exe	38
PID 1276 wrote to memory of 1016	1276	cmd.exe	38
PID 1276 wrote to memory of 1016	1276	cmd.exe	38
PID 1276 wrote to memory of 1016	1276	cmd.exe	38
PID 1884 wrote to memory of 1888	1884	cmd.exe	39
PID 1884 wrote to memory of 1888	1884	cmd.exe	39
PID 1884 wrote to memory of 1888	1884	cmd.exe	39
PID 1884 wrote to memory of 1888	1884	cmd.exe	39
PID 1588 wrote to memory of 1928	1588	cmd.exe	40
PID 1588 wrote to memory of 1928	1588	cmd.exe	40
PID 1588 wrote to memory of 1928	1588	cmd.exe	40
PID 1588 wrote to memory of 1928	1588	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe
"C:\Users\Admin\AppData\Local\Temp\d9f97c2513e9dbc5a065cc4107576e8a9fd22febbd4a5c3857cf388e21cd9b07.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
  "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\servercik.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\servercik.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\servercik.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\servercik.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
175KB

MD5
d2b4adb2ea666230b62b91ab2ff015ce

SHA1
8815248fbd6a70505346e9ffd2fe8a6a63435995

SHA256
ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc

SHA512
6789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677

Download Submit
C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
175KB

MD5
d2b4adb2ea666230b62b91ab2ff015ce

SHA1
8815248fbd6a70505346e9ffd2fe8a6a63435995

SHA256
ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc

SHA512
6789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677

Download Submit
\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
175KB

MD5
d2b4adb2ea666230b62b91ab2ff015ce

SHA1
8815248fbd6a70505346e9ffd2fe8a6a63435995

SHA256
ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc

SHA512
6789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677

Download Submit
\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
175KB

MD5
d2b4adb2ea666230b62b91ab2ff015ce

SHA1
8815248fbd6a70505346e9ffd2fe8a6a63435995

SHA256
ca3f4d3e23acf9fa7689768c28a41286789994b44e79d8e80d295ca21728b7bc

SHA512
6789542a892c3ab1c6d322c1a6f0913206aa81c5966776c3d785ef7a3150a2e4ac4b4f44258704a2052dffe4000c97f26f973509bde8308369ca4cd3c85c1677

Download Submit
memory/1452-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1452-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2016-61-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download