973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

Analysis

max time kernel
46s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe
Size

92KB
MD5

9dd28208be6453c12240edee598d01c5
SHA1

3d028abe60716c6276fcd53a3e24cc614627db86
SHA256

973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff
SHA512

9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f
SSDEEP

1536:/giuHKiksDOIeAMGXGyoI9y+kpFm94msrP9UnCcyUngZuc163Xqqi9D:YnKtsDOpAMGXGyoI9kpFm94msrP9UCco

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SystemService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbot\\svchost.exe"	REG.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe
976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1320	REG.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1548	976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe	28
PID 976 wrote to memory of 1548	976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe	28
PID 976 wrote to memory of 1548	976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe	28
PID 976 wrote to memory of 1548	976	973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe	28
PID 1548 wrote to memory of 1320	1548	svchost.exe	29
PID 1548 wrote to memory of 1320	1548	svchost.exe	29
PID 1548 wrote to memory of 1320	1548	svchost.exe	29
PID 1548 wrote to memory of 1320	1548	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe
"C:\Users\Admin\AppData\Local\Temp\973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run /V "SystemService" /D "C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe" /F
    3⤵
    - Adds policy Run key to start application
    - Modifies registry key
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe

Filesize
92KB

MD5
9dd28208be6453c12240edee598d01c5

SHA1
3d028abe60716c6276fcd53a3e24cc614627db86

SHA256
973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

SHA512
9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe

Filesize
92KB

MD5
9dd28208be6453c12240edee598d01c5

SHA1
3d028abe60716c6276fcd53a3e24cc614627db86

SHA256
973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

SHA512
9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

Download Submit
\Users\Admin\AppData\Local\Temp\gbot\svchost.exe

Filesize
92KB

MD5
9dd28208be6453c12240edee598d01c5

SHA1
3d028abe60716c6276fcd53a3e24cc614627db86

SHA256
973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

SHA512
9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

Download Submit
\Users\Admin\AppData\Local\Temp\gbot\svchost.exe

Filesize
92KB

MD5
9dd28208be6453c12240edee598d01c5

SHA1
3d028abe60716c6276fcd53a3e24cc614627db86

SHA256
973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

SHA512
9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

Download Submit
memory/976-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1320-60-0x0000000000000000-mapping.dmp

Download
memory/1548-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads