a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 00:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
Size

148KB
MD5

30c17a49907ff35ded0056137256c415
SHA1

8af674e8e074c341b180c4a25472dd26ae1fee7e
SHA256

a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5
SHA512

16489d16f2275d2096a4170d85c56b4f6593df92f5be9a183c49198021901fb41e9ab01b3ed4d70da18ac84fc4a92389b87acc6386920c10cd2223df2315e757
SSDEEP

3072:HsjZBWAJCbL2+LaEdtQqXjuVx3ucPsunjzc5ULc5uszD9dDy6j6:HKZBWAJCbL2+LaEdSVx35P1nnc5ULc5B

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

pid	Process
1100	Admin.exe

Loads dropped DLL 2 IoCs

pid	Process
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
1100	Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1100	752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe	27
PID 752 wrote to memory of 1100	752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe	27
PID 752 wrote to memory of 1100	752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe	27
PID 752 wrote to memory of 1100	752	a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe	27

C:\Users\Admin\AppData\Local\Temp\a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe
"C:\Users\Admin\AppData\Local\Temp\a259969b6fd48340f98d575e469b96341bfd45f5e97a4777b462f9be04e17be5.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
148KB

MD5
eeb25408cec899dfe09f87e7d58601da

SHA1
0f793a0d77e6f449fd75a94e72664d05c4f03ec3

SHA256
bd6506d23f830dddd1b806d07e51711f7909372eebbbe863f259776ab6af4ef9

SHA512
358db9dcda96a5d01d32e301637118b40d9d91da76cf93574857c65706f27218bc909b797c7ce53b8fb0f75ffeb7c8e2f98e1b700fa039dd2e53143d74a8b6a7

Download Submit
\Users\Admin\Admin.exe

Filesize
148KB

MD5
eeb25408cec899dfe09f87e7d58601da

SHA1
0f793a0d77e6f449fd75a94e72664d05c4f03ec3

SHA256
bd6506d23f830dddd1b806d07e51711f7909372eebbbe863f259776ab6af4ef9

SHA512
358db9dcda96a5d01d32e301637118b40d9d91da76cf93574857c65706f27218bc909b797c7ce53b8fb0f75ffeb7c8e2f98e1b700fa039dd2e53143d74a8b6a7

Download Submit
\Users\Admin\Admin.exe

Filesize
148KB

MD5
eeb25408cec899dfe09f87e7d58601da

SHA1
0f793a0d77e6f449fd75a94e72664d05c4f03ec3

SHA256
bd6506d23f830dddd1b806d07e51711f7909372eebbbe863f259776ab6af4ef9

SHA512
358db9dcda96a5d01d32e301637118b40d9d91da76cf93574857c65706f27218bc909b797c7ce53b8fb0f75ffeb7c8e2f98e1b700fa039dd2e53143d74a8b6a7

Download Submit
memory/752-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/752-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/752-65-0x00000000038F0000-0x0000000003916000-memory.dmp

Filesize
152KB

Download
memory/752-66-0x00000000038F0000-0x0000000003916000-memory.dmp

Filesize
152KB

Download
memory/752-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1100-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1100-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download