ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675

Analysis

max time kernel
187s
max time network
245s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
Size

148KB
MD5

c5820d40fb2150b2a5d6c882a7837d24
SHA1

77996ce5801aff8229a6df7a4e1a30b82a7925af
SHA256

ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675
SHA512

2b12b55f9a4567e185dde5d07e4d962e86303680524b2754603b7e5ee4a5fe662c005c19a44af1ad0aecafac12495eb9b6a86a9881df90578a18fe92d54ea7b1
SSDEEP

3072:Xz4Y57AxLliwriYXbg3HqNwiQwqEJueXsjIWlrOxQCi0uXJObT:D4Y5kxxriUSKCCJuss0W8xQCi0aC

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	rms.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012750-65.dat	upx
behavioral1/files/0x0008000000012750-66.dat	upx
behavioral1/files/0x0008000000012750-68.dat	upx
behavioral1/memory/2020-72-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2020-75-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
728	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\rms.exe \\u"	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\userdiff.sav	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
File created	C:\Windows\SysWOW64\userdiff.sav	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
File opened for modification	C:\Windows\SysWOW64\userdiff.sav	rms.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 2020 set thread context of 592	2020	rms.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 1140 wrote to memory of 296	1140	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	28
PID 296 wrote to memory of 2020	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	29
PID 296 wrote to memory of 2020	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	29
PID 296 wrote to memory of 2020	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	29
PID 296 wrote to memory of 2020	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	29
PID 296 wrote to memory of 728	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	30
PID 296 wrote to memory of 728	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	30
PID 296 wrote to memory of 728	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	30
PID 296 wrote to memory of 728	296	ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe	30
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32
PID 2020 wrote to memory of 592	2020	rms.exe	32

C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
"C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe
  "C:\Users\Admin\AppData\Local\Temp\ea32d88080efdc864bbe711bfab95ea93820463da53acdf0965eefbda13b0675.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\rms.exe
    \u
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6515.bat" "
    3⤵
    - Deletes itself
    PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6515.bat

Filesize
135B

MD5
f7e25f65dfa5c9f372729acbb03b036b

SHA1
5c0eb57b638a81c60a7624f76862b519b989843e

SHA256
f1aeef1c07f9561615c99f57f188a8ae5964c5bb3b595e8cbda9b8c0ac558e3b

SHA512
bec9d148076a3450ef010a455671e125e0ce882fb83869b94c1a62413e5d556e9923363d273e49e966bae5ca1afacb244424950e5e2ee0c1af8a9f663b42e779

Download Submit
C:\Users\Admin\rms.exe

Filesize
33KB

MD5
7f18d543029468ba18b55e70fdf253c5

SHA1
9d9337e9b559a39367e9a0a6198b3499ed515628

SHA256
67be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f

SHA512
1608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd

Download Submit
C:\Windows\SysWOW64\userdiff.sav

Filesize
46KB

MD5
6e37fc0c339262aa757ea92ac1c79803

SHA1
045ffedabd78edcd547109783b05aa0d26c774bf

SHA256
1b9391ecbb9ae0d5301892eb3c0ea708e88c7aa19cad4eb4675d3eeb8907b6ec

SHA512
d1d1237ef0edb7526ac72e7321ba1989f7283bc5d5cdc4638086acad137f96d080805a4c4bf82bbd21740a9e6418fdd7984a6df48731ac7809538b732f5a3c9a

Download Submit
\Users\Admin\rms.exe

Filesize
33KB

MD5
7f18d543029468ba18b55e70fdf253c5

SHA1
9d9337e9b559a39367e9a0a6198b3499ed515628

SHA256
67be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f

SHA512
1608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd

Download Submit
\Users\Admin\rms.exe

Filesize
33KB

MD5
7f18d543029468ba18b55e70fdf253c5

SHA1
9d9337e9b559a39367e9a0a6198b3499ed515628

SHA256
67be0257e5818ee64166bba1cc43109dc662790ad9807400020a61e625a3223f

SHA512
1608eee2148235acec1bdea4411d08a37980408d57cdc908103429843f2bb8319947eade92f7ad613b63f79ffdea4bcf9991fddd64aca818c07b4c3aaf5feacd

Download Submit
memory/296-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-64-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-63-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/296-61-0x000000000040129C-mapping.dmp

Download
memory/296-54-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-71-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/296-70-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/296-69-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/296-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/592-116-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-106-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-186-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-185-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-181-0x00000000099066A4-mapping.dmp

Download
memory/592-79-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-78-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-81-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-83-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-84-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-85-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-86-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-87-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-88-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-89-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-90-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-91-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-92-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-93-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-94-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-95-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-96-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-97-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-98-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-99-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-100-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-101-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-102-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-104-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-130-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-105-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-103-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-107-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-108-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-109-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-110-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-111-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-112-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-113-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-114-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-115-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-129-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-117-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-118-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-119-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-126-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-127-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-125-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-124-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-123-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-122-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-121-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-120-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/592-128-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/728-73-0x0000000000000000-mapping.dmp

Download
memory/2020-67-0x0000000000000000-mapping.dmp

Download
memory/2020-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2020-182-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2020-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2020-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads