Analysis

  • max time kernel
    124s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 20:06

General

  • Target

    bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe

  • Size

    749KB

  • MD5

    829698894b4a13b4a683f97301b0f682

  • SHA1

    353513afd1d98071ebe6090cb4b793e30422a2c3

  • SHA256

    bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88

  • SHA512

    8500418d814d1cc145492c73a82b3a247f83fb6a89a3c6506fe925107795c1060038636e58b55e47f196ae1e07b851e4f99cb5a733bfdbe4d574b31a323aea5b

  • SSDEEP

    12288:g72bntEL772bntELDRFj47+572bntEL772bntELDRFj47+HDn0:g72ze72z2Ky72ze72z2K80

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
    "C:\Users\Admin\AppData\Local\Temp\bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1568
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1520
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:572
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:840
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1620
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1364
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\W_X_C.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:360
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1644
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            PID:892
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1956
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:660
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1724
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:1900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.2MB

    MD5

    d29e4d3ce2942bd23c31b3789d00367f

    SHA1

    cb4b137aececba283328c49997e30d98c1a2f6f8

    SHA256

    710aef09d68731125abbc4b070de67816226168b4244b11be0a4d15d925952f1

    SHA512

    9d1d2bac16a2b273702c42db007a58448b95e43dd5f3a12108b157e6ad7e00703fbb8f5242676a4aac0f1e06a7c824e8e1112f9bbc9ea5c1819da4fbecc0797a

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.2MB

    MD5

    99402351444ea979537b07f919d6ba30

    SHA1

    a07a4d154a553fc8875d7aba914cf1498750f665

    SHA256

    a200cbc68086a36e332ba98c7808617fdc895f21215dd09bef8f2df1938da90a

    SHA512

    eb8299e842594268e4fbd222183eb7fdf4ba1f6b2667530de008933d2f308fbddd2bab156d4fbd2ccd013fa83aef1405c08871d65bc1478936c26b6b7cf1db30

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    3.7MB

    MD5

    fc46e0114bb04c02fdbed82ca0649fe2

    SHA1

    89fa143b916318e3a9ea81155ec045fbd8fcdf0b

    SHA256

    249fe69ad4c7ce632b3ad4f151610e879b269753c5488c3fa52638af4ff2d210

    SHA512

    0bdd45fd14bd3f1a9a2ed0e6e7b41154b2903284dbcb6483129a617c9237fbfd0489f7d3b59f6a4d0f0a35595b7ecb860fcd68e5dd4554ddb098fbad1f52bccb

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    3.7MB

    MD5

    20ba081282aa2edf0d294e8b758f40a3

    SHA1

    9f6d7c1e1b53825456d83d0d4f34d88639fc516c

    SHA256

    2d53cd4a7b0861112902d9a4fe41c1f0c97f4379b0fa7e738c27f2f4d3103b90

    SHA512

    855ddb1efb4868e6ffc6e0f63f6793548946e26762d3f3e6b358a5e9ec9ed5b2d7697383c8dd204f3345ae22dea81ad721043002f61e8e9e2759cd2d99e9e02a

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    5.2MB

    MD5

    c7bad70cbfcf8cc2ad7ab16abe62356c

    SHA1

    a5969acb0b664d5155f269be8ef2fdb574fe0e4d

    SHA256

    849b828d89b67a1fc574873b8e141e9eecb8710934b9fed87ea70e16dacfc271

    SHA512

    c524c1334a64f1de9ed47786d863be396cf14c05693f769dc42bbbdb2f4b3a14cb7b6df714758c9114edd928af3801aa7e5479d655ee314fcbbe953d71301069

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    5.2MB

    MD5

    c7bad70cbfcf8cc2ad7ab16abe62356c

    SHA1

    a5969acb0b664d5155f269be8ef2fdb574fe0e4d

    SHA256

    849b828d89b67a1fc574873b8e141e9eecb8710934b9fed87ea70e16dacfc271

    SHA512

    c524c1334a64f1de9ed47786d863be396cf14c05693f769dc42bbbdb2f4b3a14cb7b6df714758c9114edd928af3801aa7e5479d655ee314fcbbe953d71301069

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    8efab902a61f6cddc318bb5818c2f2e0

    SHA1

    9608751279ae04ba710d84c61e3937c12950b393

    SHA256

    a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

    SHA512

    aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

  • C:\Windows\hosts.exe

    Filesize

    749KB

    MD5

    2d6edf5a2bf6cf484be473df1150c794

    SHA1

    1ea6a3e649169bccde28391271a1b3d9efcd70a4

    SHA256

    3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

    SHA512

    52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

  • C:\Windows\hosts.exe

    Filesize

    749KB

    MD5

    2d6edf5a2bf6cf484be473df1150c794

    SHA1

    1ea6a3e649169bccde28391271a1b3d9efcd70a4

    SHA256

    3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

    SHA512

    52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

  • C:\Windows\hosts.exe

    Filesize

    749KB

    MD5

    2d6edf5a2bf6cf484be473df1150c794

    SHA1

    1ea6a3e649169bccde28391271a1b3d9efcd70a4

    SHA256

    3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

    SHA512

    52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

  • C:\Windows\hosts.exe

    Filesize

    749KB

    MD5

    2d6edf5a2bf6cf484be473df1150c794

    SHA1

    1ea6a3e649169bccde28391271a1b3d9efcd70a4

    SHA256

    3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

    SHA512

    52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

  • C:\windows\hosts.exe

    Filesize

    749KB

    MD5

    2d6edf5a2bf6cf484be473df1150c794

    SHA1

    1ea6a3e649169bccde28391271a1b3d9efcd70a4

    SHA256

    3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

    SHA512

    52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    749KB

    MD5

    e387d5b54de31ab73f36367fdc019b04

    SHA1

    5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

    SHA256

    cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

    SHA512

    5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

  • memory/1140-58-0x00000000745E1000-0x00000000745E3000-memory.dmp

    Filesize

    8KB

  • memory/1140-56-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB