Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 16:40
Static task
static1
Behavioral task
behavioral1
Sample
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe
Resource
win10v2004-20221111-en
General
-
Target
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe
-
Size
112KB
-
MD5
5a6a31f7c26edcbd7451fc754cededa0
-
SHA1
2d206c40b063cc9734eaff5f3404a02c891a3715
-
SHA256
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1
-
SHA512
78e32f09e75314b317c14e4c0b1f9b1a82aa8090ca494b03e6f4cb717a7554d05029441da119972cb7053cef5dfb5095ef92559f2113bbce8cce8febbefbdba5
-
SSDEEP
3072:stS1US4uacfhaYd2gya+DW58DzS2jbxWGqeo:stS7faqcYd2seHSbGqeo
Malware Config
Extracted
tofsee
91.218.39.211
188.130.237.44
91.204.162.103
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tumkkewj.exepid process 1896 tumkkewj.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1716 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exepid process 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\tumkkewj.exe\"" 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tumkkewj.exedescription pid process target process PID 1896 set thread context of 2012 1896 tumkkewj.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exetumkkewj.exepid process 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe 1896 tumkkewj.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exetumkkewj.exedescription pid process target process PID 2028 wrote to memory of 1896 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe tumkkewj.exe PID 2028 wrote to memory of 1896 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe tumkkewj.exe PID 2028 wrote to memory of 1896 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe tumkkewj.exe PID 2028 wrote to memory of 1896 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe tumkkewj.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 1896 wrote to memory of 2012 1896 tumkkewj.exe svchost.exe PID 2028 wrote to memory of 1716 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe cmd.exe PID 2028 wrote to memory of 1716 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe cmd.exe PID 2028 wrote to memory of 1716 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe cmd.exe PID 2028 wrote to memory of 1716 2028 9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe"C:\Users\Admin\AppData\Local\Temp\9b05b05532fac19bb2945c236b032037a7cd0b0d5149fccfc30e7fb3f6b825f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\tumkkewj.exe"C:\Users\Admin\tumkkewj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7474.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7474.batFilesize
302B
MD59413b3b8a0a2edbe2b20203f78a217f9
SHA14bc9add396c1294d2a4476da31e621dafe7bd8e4
SHA2560f6732948ca487fbc0a0c72865f5643c2d57520f56255a50249cda1f842c93ee
SHA51230f7666f9076718bb996d8db17d5f8bc4f7b86190910337b7c2b1b05af425c7592fdd17e5fbfb71d734bcb53a7a7f812a165a5c76c0df44b718deb428a0751ca
-
C:\Users\Admin\tumkkewj.exeFilesize
45.3MB
MD54f57ae03330e7da129f0252cd7009d49
SHA11213d8f09053f5b0f8071048b84e2321b50fd8eb
SHA2566516feea45633470c46e5ce40d62245f085b5c273954f0f32edd4bf1eb4e6843
SHA512a9cec7a759bf5a35b96da0ed901434f157dd1fa7c8e42e23e60fa7a14f76de8121cc1ded2e3c2dcfcf466276764648c660fe873bb058fbbe42f6f025794f7e66
-
C:\Users\Admin\tumkkewj.exeFilesize
45.3MB
MD54f57ae03330e7da129f0252cd7009d49
SHA11213d8f09053f5b0f8071048b84e2321b50fd8eb
SHA2566516feea45633470c46e5ce40d62245f085b5c273954f0f32edd4bf1eb4e6843
SHA512a9cec7a759bf5a35b96da0ed901434f157dd1fa7c8e42e23e60fa7a14f76de8121cc1ded2e3c2dcfcf466276764648c660fe873bb058fbbe42f6f025794f7e66
-
\Users\Admin\tumkkewj.exeFilesize
45.3MB
MD54f57ae03330e7da129f0252cd7009d49
SHA11213d8f09053f5b0f8071048b84e2321b50fd8eb
SHA2566516feea45633470c46e5ce40d62245f085b5c273954f0f32edd4bf1eb4e6843
SHA512a9cec7a759bf5a35b96da0ed901434f157dd1fa7c8e42e23e60fa7a14f76de8121cc1ded2e3c2dcfcf466276764648c660fe873bb058fbbe42f6f025794f7e66
-
\Users\Admin\tumkkewj.exeFilesize
45.3MB
MD54f57ae03330e7da129f0252cd7009d49
SHA11213d8f09053f5b0f8071048b84e2321b50fd8eb
SHA2566516feea45633470c46e5ce40d62245f085b5c273954f0f32edd4bf1eb4e6843
SHA512a9cec7a759bf5a35b96da0ed901434f157dd1fa7c8e42e23e60fa7a14f76de8121cc1ded2e3c2dcfcf466276764648c660fe873bb058fbbe42f6f025794f7e66
-
memory/1716-73-0x0000000000000000-mapping.dmp
-
memory/1896-63-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1896-62-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB
-
memory/1896-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1896-59-0x0000000000000000-mapping.dmp
-
memory/2012-64-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2012-67-0x000000000010785F-mapping.dmp
-
memory/2012-66-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2012-76-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2012-77-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2028-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/2028-56-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2028-74-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2028-55-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB