f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5

Analysis

max time kernel
150s
max time network
54s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
Size

100KB
MD5

7d2e4cd208e47ff3ff2cd88a7a5c9aea
SHA1

b5b517fad6bc1f1658cfe86f215cd7b958c8914f
SHA256

f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5
SHA512

41676f8b1380d9b0fe20d6d73eafbeb799c44986c233155a7ae1d8898178790b53cf3e89cf97485e8ea83dd56184d3f626d44cc0414cb5cff4c1d23b0a2bde81
SSDEEP

1536:jRHi0gNmp4BNRXAEwqScgDz0Bg2PDXJRde/SwvFMYVwC+QaMaS+XjLlm:5F4zDfDXJVI+fS+3s

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ljruow.exe

Executes dropped EXE 1 IoCs

pid	Process
952	ljruow.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /t"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /n"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /m"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /d"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /l"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /y"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /w"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /z"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /j"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /k"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /x"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /p"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /b"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /r"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /o"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /d"	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /u"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /i"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /v"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /f"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /s"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /g"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /q"	ljruow.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /a"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /c"	ljruow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /e"	ljruow.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljruow = "C:\\Users\\Admin\\ljruow.exe /h"	ljruow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe
952	ljruow.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
952	ljruow.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 952	1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe	28
PID 1808 wrote to memory of 952	1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe	28
PID 1808 wrote to memory of 952	1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe	28
PID 1808 wrote to memory of 952	1808	f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe	28

C:\Users\Admin\AppData\Local\Temp\f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe
"C:\Users\Admin\AppData\Local\Temp\f2cd9a66b39efb9b67dc670ad20d14b33ef1f2cbb9b94cc9c0eb8cdfd8852af5.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\ljruow.exe
  "C:\Users\Admin\ljruow.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ljruow.exe

Filesize
100KB

MD5
4fbd3afea5ad24a432596d69c19072b8

SHA1
8133aeb41f0bf857f79fffef9d590a2ecd91c706

SHA256
04c19c6f06c19cdac07bdfada501cf5a74423818674ed1bb4af2235d58ba7d69

SHA512
1e4c730db1aebc5ebca6c0826a1fd7caddee0c45c443635eead71be878816b9bbd2fcf811c37c27cc2ffea85ffebc08c2a23cc1291c152db20abc04e9aa21ad2

Download Submit
C:\Users\Admin\ljruow.exe

Filesize
100KB

MD5
4fbd3afea5ad24a432596d69c19072b8

SHA1
8133aeb41f0bf857f79fffef9d590a2ecd91c706

SHA256
04c19c6f06c19cdac07bdfada501cf5a74423818674ed1bb4af2235d58ba7d69

SHA512
1e4c730db1aebc5ebca6c0826a1fd7caddee0c45c443635eead71be878816b9bbd2fcf811c37c27cc2ffea85ffebc08c2a23cc1291c152db20abc04e9aa21ad2

Download Submit
\Users\Admin\ljruow.exe

Filesize
100KB

MD5
4fbd3afea5ad24a432596d69c19072b8

SHA1
8133aeb41f0bf857f79fffef9d590a2ecd91c706

SHA256
04c19c6f06c19cdac07bdfada501cf5a74423818674ed1bb4af2235d58ba7d69

SHA512
1e4c730db1aebc5ebca6c0826a1fd7caddee0c45c443635eead71be878816b9bbd2fcf811c37c27cc2ffea85ffebc08c2a23cc1291c152db20abc04e9aa21ad2

Download Submit
\Users\Admin\ljruow.exe

Filesize
100KB

MD5
4fbd3afea5ad24a432596d69c19072b8

SHA1
8133aeb41f0bf857f79fffef9d590a2ecd91c706

SHA256
04c19c6f06c19cdac07bdfada501cf5a74423818674ed1bb4af2235d58ba7d69

SHA512
1e4c730db1aebc5ebca6c0826a1fd7caddee0c45c443635eead71be878816b9bbd2fcf811c37c27cc2ffea85ffebc08c2a23cc1291c152db20abc04e9aa21ad2

Download Submit
memory/1808-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download