e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d

Analysis

max time kernel
185s
max time network
185s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
Size

569KB
MD5

7fd9af1c1a854f847f2ffe95458dcfd9
SHA1

7c8b78682ab85ee6a2e2800485d6889560490cc7
SHA256

e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d
SHA512

c53eeacad56a512bdc55f92a463b6d8f5858cdd900027b5ef250b9af64e1f36ec91f888d74dbd0245058cea7dc646e6c074315d3f71ad4eaefda8c7fd5c180d6
SSDEEP

12288:f3nZMhJ+ubN8pqZP9keT9hbdotzjnzrrm837L+R/4YjunOL0vyqqaw:f3nZqfb+pqZVkeT9hbmzPmHtvun8ww

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1344	wina.exe
668	Tibia.exe
824	svghost.exe
1576	updater.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svghost.exe	svghost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\svghost.exe	svghost.exe

Loads dropped DLL 12 IoCs

pid	Process
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
1344	wina.exe
1344	wina.exe
1344	wina.exe
1344	wina.exe
1344	wina.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	Tibia.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Tibia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Tibia.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV	Tibia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\ = "URL:Open Tibia Server"	Tibia.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\EditFlags = "2"	Tibia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\Source Filter	Tibia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\URL Protocol	Tibia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\shell\open\command	Tibia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\shell	Tibia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\shell\open	Tibia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OTSERV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Tibia.exe %1"	Tibia.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	Tibia.exe
668	Tibia.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	Tibia.exe
Token: 33	692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	692	AUDIODG.EXE
Token: 33	692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	692	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
668	Tibia.exe
668	Tibia.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 1344	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	28
PID 1056 wrote to memory of 668	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	29
PID 1056 wrote to memory of 668	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	29
PID 1056 wrote to memory of 668	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	29
PID 1056 wrote to memory of 668	1056	e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe	29
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 1344 wrote to memory of 824	1344	wina.exe	30
PID 668 wrote to memory of 1576	668	Tibia.exe	33
PID 668 wrote to memory of 1576	668	Tibia.exe	33
PID 668 wrote to memory of 1576	668	Tibia.exe	33

C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
"C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\wina.exe
  "C:\Users\Admin\AppData\Local\Temp\wina.exe" -papapa
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\svghost.exe
    "C:\Users\Admin\AppData\Local\Temp\svghost.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    PID:824
- C:\Users\Admin\AppData\Local\Temp\Tibia.exe
  "C:\Users\Admin\AppData\Local\Temp\Tibia.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\updater.exe
    "C:\Users\Admin\AppData\Local\Temp\updater.exe" 0;0;1104;668
    3⤵
    - Executes dropped EXE
    PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
C:\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
88KB

MD5
b2424fda6bec648a48263784e27722de

SHA1
4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

SHA256
ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

SHA512
8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
88KB

MD5
b2424fda6bec648a48263784e27722de

SHA1
4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

SHA256
ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

SHA512
8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wina.exe

Filesize
220KB

MD5
dc693b8d851d7474685d27767e9944d2

SHA1
6858885841bd97337984f0179fd0e7437a39db97

SHA256
0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

SHA512
afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wina.exe

Filesize
220KB

MD5
dc693b8d851d7474685d27767e9944d2

SHA1
6858885841bd97337984f0179fd0e7437a39db97

SHA256
0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

SHA512
afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

Download Submit
\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
\Users\Admin\AppData\Local\Temp\Tibia.exe

Filesize
343KB

MD5
4ff5f5486f49137cf5919acf6dd6a99b

SHA1
aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

SHA256
f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

SHA512
b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

Download Submit
\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
\Users\Admin\AppData\Local\Temp\svghost.exe

Filesize
501KB

MD5
a252c588ae7c5ef6c86be590c86a9c8e

SHA1
232bfa074deeea0d1435e42abbf5b57e75eb7e12

SHA256
1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

SHA512
619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

Download Submit
\Users\Admin\AppData\Local\Temp\wina.exe

Filesize
220KB

MD5
dc693b8d851d7474685d27767e9944d2

SHA1
6858885841bd97337984f0179fd0e7437a39db97

SHA256
0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

SHA512
afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

Download Submit
\Users\Admin\AppData\Local\Temp\wina.exe

Filesize
220KB

MD5
dc693b8d851d7474685d27767e9944d2

SHA1
6858885841bd97337984f0179fd0e7437a39db97

SHA256
0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

SHA512
afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

Download Submit
\Users\Admin\AppData\Local\Temp\wina.exe

Filesize
220KB

MD5
dc693b8d851d7474685d27767e9944d2

SHA1
6858885841bd97337984f0179fd0e7437a39db97

SHA256
0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

SHA512
afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

Download Submit
memory/668-80-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/668-69-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/668-79-0x000007FEF2500000-0x000007FEF3596000-memory.dmp

Filesize
16.6MB

Download
memory/668-81-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download
memory/1056-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1576-85-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1576-86-0x000007FEF2500000-0x000007FEF3596000-memory.dmp

Filesize
16.6MB

Download
memory/1576-87-0x0000000000C86000-0x0000000000CA5000-memory.dmp

Filesize
124KB

Download
memory/1576-89-0x0000000000C86000-0x0000000000CA5000-memory.dmp

Filesize
124KB

Download