Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe
Resource
win10v2004-20220812-en
General
-
Target
e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe
-
Size
501KB
-
MD5
e40043ca830f0cb77887f8e1e1d5cbe2
-
SHA1
7316e9ea61c83a28f0d5cc37690cc3f9fff72cc0
-
SHA256
e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f
-
SHA512
eac0bb945ee52a6e457a710df5ea6f11d839102e1ae6abdb2f1a2db724c4989c39ed0f20e82b7e409f3876169e9ca325736ea88ff0726d873f608509ed40943d
-
SSDEEP
12288:d6TcTq0rfJDGv5rwiglwHZcyDyGXuwNR9nu/yqeD:+Qq+Gv5rw7kZpDXewFu6qe
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RDSound = "C:\\Users\\Admin\\AppData\\Roaming\\Huawei3gConect.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2E4276C1-75CB-11ED-B4BC-4A12BD72B3C7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 1404 reg.exe 1720 reg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1516 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1516 iexplore.exe 1516 iexplore.exe 836 IEXPLORE.EXE 836 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1980 wrote to memory of 632 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 28 PID 1980 wrote to memory of 632 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 28 PID 1980 wrote to memory of 632 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 28 PID 1980 wrote to memory of 632 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 28 PID 1980 wrote to memory of 976 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 30 PID 1980 wrote to memory of 976 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 30 PID 1980 wrote to memory of 976 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 30 PID 1980 wrote to memory of 976 1980 e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe 30 PID 976 wrote to memory of 1416 976 cmd.exe 32 PID 976 wrote to memory of 1416 976 cmd.exe 32 PID 976 wrote to memory of 1416 976 cmd.exe 32 PID 976 wrote to memory of 1416 976 cmd.exe 32 PID 1416 wrote to memory of 1404 1416 cmd.exe 33 PID 1416 wrote to memory of 1404 1416 cmd.exe 33 PID 1416 wrote to memory of 1404 1416 cmd.exe 33 PID 1416 wrote to memory of 1404 1416 cmd.exe 33 PID 632 wrote to memory of 1720 632 cmd.exe 34 PID 632 wrote to memory of 1720 632 cmd.exe 34 PID 632 wrote to memory of 1720 632 cmd.exe 34 PID 632 wrote to memory of 1720 632 cmd.exe 34 PID 1516 wrote to memory of 836 1516 iexplore.exe 38 PID 1516 wrote to memory of 836 1516 iexplore.exe 38 PID 1516 wrote to memory of 836 1516 iexplore.exe 38 PID 1516 wrote to memory of 836 1516 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe"C:\Users\Admin\AppData\Local\Temp\e6a0e25a6cc046b54a861de9d9692391827a6a1ae37924ea4b2389f27e131d7f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Nreg.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RDSound /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Huawei3gConect.exe" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\NUac.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
PID:1404
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:836
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164B
MD5c80c14c9b9ffd63a2ed8037940d75103
SHA13f24e10b213bd483067709c8c4f7b75c29464eff
SHA256236f2acb03d56106f0e6b693108f25ed2eb9b7d0503a84e6948e797f8c15dd6b
SHA512f51619a769fc86bc091bd1a534c6cac5d8c426ddd9784fd98bb23b7f0c699fcc473722dffa1196391c3e92f4647ce96de4b3326c25f49014552b0346a6f4e2c9
-
Filesize
124B
MD55dcd3f0dbe707b6c4c54020c88f722cd
SHA19343cc6c911f5a80a010d501428ce9a347acfcf2
SHA2564e61546611506a8f677c6e45e4c8124a5a2f0a7c4a0525bbcb5b590fd23ab345
SHA512a44eb7fffba50a852590e0f3d7505f0120a2bdde67839eddcd50e84a44f4b6e0f7b867533694f153432534a7bb52aac0a4471a086d2d10881a839501bc4cbfaa