b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34

Analysis

max time kernel
246s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe
Size

420KB
MD5

1200f630d960ea698515201af0f0c006
SHA1

5ba609358b8526c0378df266aff57b7aa21e3ed9
SHA256

b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34
SHA512

a72aa470f9f4f1ecd22eff01a9e74ca74c03f42f96a6004e330138673b2b52576dfa663ea8671daa6f7ae5f82bf9e7bb931b559540d336263cbf3aa2c8c0178d
SSDEEP

6144:ZQHEannVRVHgyA37acHbkwKSvpruDo+sOJDy/GQoyVHi1i/nEtqhAxFzjtc7Ec6o:GHnVRCyAJKShulPk/GOVHZJcFlc7qUb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
752	tugoslnxerbt.exe
1516	tugoslnxerbt.exe

Deletes itself 1 IoCs

pid	Process
592	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	tugoslnxerbt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fqjfqyebrrnb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\tugoslnxerbt.exe\""	tugoslnxerbt.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 752 set thread context of 1516	752	tugoslnxerbt.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tugoslnxerbt.exe	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe
File opened for modification	C:\Windows\tugoslnxerbt.exe	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe
Token: SeDebugPrivilege	1516	tugoslnxerbt.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 772 wrote to memory of 704	772	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	27
PID 704 wrote to memory of 752	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	28
PID 704 wrote to memory of 752	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	28
PID 704 wrote to memory of 752	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	28
PID 704 wrote to memory of 752	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	28
PID 704 wrote to memory of 592	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	29
PID 704 wrote to memory of 592	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	29
PID 704 wrote to memory of 592	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	29
PID 704 wrote to memory of 592	704	b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe	29
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31
PID 752 wrote to memory of 1516	752	tugoslnxerbt.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tugoslnxerbt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tugoslnxerbt.exe

C:\Users\Admin\AppData\Local\Temp\b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe
"C:\Users\Admin\AppData\Local\Temp\b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe
  "C:\Users\Admin\AppData\Local\Temp\b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\tugoslnxerbt.exe
    C:\Windows\tugoslnxerbt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\tugoslnxerbt.exe
      C:\Windows\tugoslnxerbt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B04F17~1.EXE
    3⤵
    - Deletes itself
    PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tugoslnxerbt.exe

Filesize
420KB

MD5
1200f630d960ea698515201af0f0c006

SHA1
5ba609358b8526c0378df266aff57b7aa21e3ed9

SHA256
b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34

SHA512
a72aa470f9f4f1ecd22eff01a9e74ca74c03f42f96a6004e330138673b2b52576dfa663ea8671daa6f7ae5f82bf9e7bb931b559540d336263cbf3aa2c8c0178d

Download Submit
C:\Windows\tugoslnxerbt.exe

Filesize
420KB

MD5
1200f630d960ea698515201af0f0c006

SHA1
5ba609358b8526c0378df266aff57b7aa21e3ed9

SHA256
b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34

SHA512
a72aa470f9f4f1ecd22eff01a9e74ca74c03f42f96a6004e330138673b2b52576dfa663ea8671daa6f7ae5f82bf9e7bb931b559540d336263cbf3aa2c8c0178d

Download Submit
C:\Windows\tugoslnxerbt.exe

Filesize
420KB

MD5
1200f630d960ea698515201af0f0c006

SHA1
5ba609358b8526c0378df266aff57b7aa21e3ed9

SHA256
b04f17c1d93ca085b43623689be0bbf6eb6d9c725b47293b31054d4195e56c34

SHA512
a72aa470f9f4f1ecd22eff01a9e74ca74c03f42f96a6004e330138673b2b52576dfa663ea8671daa6f7ae5f82bf9e7bb931b559540d336263cbf3aa2c8c0178d

Download Submit
memory/704-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-65-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-76-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-69-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/704-70-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-71-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-61-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-59-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/704-74-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/772-67-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/772-54-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/772-55-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1516-92-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1516-93-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1516-94-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads