7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3

Analysis

max time kernel
142s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe
Size

2.4MB
MD5

c6ccdfd1d5f9d5be810d465bef9a1f49
SHA1

3145b0dcaf3d59b8f3fd9d4abd70d5e2ea8c08ec
SHA256

7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3
SHA512

614b4f559e2f01d70f8f610da394e8a0c07a2e4bfb800b96f03d3d08fa7166bd471737c45cedac4035d7aac10e2a8f7a90297fababcbcf8558902b6503b61734
SSDEEP

49152:/EVUchExecJDGxP1NC+A/PLKhAFs1NPIJBIpqJmBOVN6ZSQQ5nqY7yCt:/E38JDAL8M2sDCWpEm8VJQIt

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1528	j.exe
2012	Project1.exe
2044	sevc host.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1712	netsh.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012353-58.dat	upx
behavioral1/files/0x0009000000012353-60.dat	upx
behavioral1/files/0x0009000000012353-62.dat	upx
behavioral1/memory/1512-64-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1512-66-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2012-67-0x0000000000400000-0x000000000070D000-memory.dmp	upx
behavioral1/files/0x0009000000012353-69.dat	upx
behavioral1/memory/2012-72-0x0000000000400000-0x000000000070D000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7bfa60839bfb650b87f4db3a0b635ac8.exe	sevc host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7bfa60839bfb650b87f4db3a0b635ac8.exe	sevc host.exe

Loads dropped DLL 4 IoCs

pid	Process
1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe
1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe
1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe
1528	j.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\7bfa60839bfb650b87f4db3a0b635ac8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sevc host.exe\" .."	sevc host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7bfa60839bfb650b87f4db3a0b635ac8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sevc host.exe\" .."	sevc host.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1512-64-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe
behavioral1/memory/1512-66-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
1528	j.exe
1528	j.exe
1528	j.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe
2044	sevc host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2044	sevc host.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	Project1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1440	AUDIODG.EXE
Token: 33	1440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1440	AUDIODG.EXE
Token: SeDebugPrivilege	2044	sevc host.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	Project1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1528	j.exe
2044	sevc host.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1528	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	27
PID 1512 wrote to memory of 1528	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	27
PID 1512 wrote to memory of 1528	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	27
PID 1512 wrote to memory of 1528	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	27
PID 1512 wrote to memory of 2012	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	28
PID 1512 wrote to memory of 2012	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	28
PID 1512 wrote to memory of 2012	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	28
PID 1512 wrote to memory of 2012	1512	7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe	28
PID 1528 wrote to memory of 2044	1528	j.exe	30
PID 1528 wrote to memory of 2044	1528	j.exe	30
PID 1528 wrote to memory of 2044	1528	j.exe	30
PID 1528 wrote to memory of 2044	1528	j.exe	30
PID 2044 wrote to memory of 1712	2044	sevc host.exe	31
PID 2044 wrote to memory of 1712	2044	sevc host.exe	31
PID 2044 wrote to memory of 1712	2044	sevc host.exe	31
PID 2044 wrote to memory of 1712	2044	sevc host.exe	31

C:\Users\Admin\AppData\Local\Temp\7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe
"C:\Users\Admin\AppData\Local\Temp\7b488f499dedba12660d63aa78afb84cc3de15a6613c08d9af03d7517a5e97d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\j.exe
  C:\Users\Admin\AppData\Local\Temp/j.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\sevc host.exe
    "C:\Users\Admin\AppData\Local\Temp\sevc host.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sevc host.exe" "sevc host.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1712
- C:\Users\Admin\AppData\Local\Temp\Project1.exe
  C:\Users\Admin\AppData\Local\Temp/Project1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
891KB

MD5
559d93b186c734f3caf6391fdd89df5d

SHA1
c84445d6691cbdc738664faf1b536fff47e494d3

SHA256
681ecc35b6467e84aeec702e4d12e8265e38306d5350939b977c9187c559b09c

SHA512
303d0c5f6188537f708cc2c841c06f8f80d5bea94ae8ebfbddac9dcfd67a40bc4339a5aaf507da9d6c4658191158d7cd0152bf1affdf03de823905cc70ef8a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
891KB

MD5
559d93b186c734f3caf6391fdd89df5d

SHA1
c84445d6691cbdc738664faf1b536fff47e494d3

SHA256
681ecc35b6467e84aeec702e4d12e8265e38306d5350939b977c9187c559b09c

SHA512
303d0c5f6188537f708cc2c841c06f8f80d5bea94ae8ebfbddac9dcfd67a40bc4339a5aaf507da9d6c4658191158d7cd0152bf1affdf03de823905cc70ef8a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\j.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\j.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sevc host.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sevc host.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
891KB

MD5
559d93b186c734f3caf6391fdd89df5d

SHA1
c84445d6691cbdc738664faf1b536fff47e494d3

SHA256
681ecc35b6467e84aeec702e4d12e8265e38306d5350939b977c9187c559b09c

SHA512
303d0c5f6188537f708cc2c841c06f8f80d5bea94ae8ebfbddac9dcfd67a40bc4339a5aaf507da9d6c4658191158d7cd0152bf1affdf03de823905cc70ef8a18

Download Submit
\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
891KB

MD5
559d93b186c734f3caf6391fdd89df5d

SHA1
c84445d6691cbdc738664faf1b536fff47e494d3

SHA256
681ecc35b6467e84aeec702e4d12e8265e38306d5350939b977c9187c559b09c

SHA512
303d0c5f6188537f708cc2c841c06f8f80d5bea94ae8ebfbddac9dcfd67a40bc4339a5aaf507da9d6c4658191158d7cd0152bf1affdf03de823905cc70ef8a18

Download Submit
\Users\Admin\AppData\Local\Temp\j.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
\Users\Admin\AppData\Local\Temp\sevc host.exe

Filesize
1.2MB

MD5
79be90a0d005189bdc1d573c1b18607a

SHA1
9dd1ad7a437ba9d33cfea91e3429bf3a63a41555

SHA256
2285c409141e4a2084df40f391dd1f1d3fe7241a0ddea8620fe464de50da0e16

SHA512
afcde85f8e3df95eb683550e7b39b4d93fec45e8aedd3f6d0a904341e0f70990b5594d06625e102312819d3b4e50db5ea78aea958ae651326c0640838c79692e

Download Submit
memory/1512-66-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1512-65-0x00000000033D0000-0x00000000037AE000-memory.dmp

Filesize
3.9MB

Download
memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1512-64-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1528-70-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-80-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-79-0x0000000000400000-0x00000000007DE000-memory.dmp

Filesize
3.9MB

Download
memory/1528-73-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-67-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2012-72-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2012-71-0x00000000729F1000-0x00000000729F3000-memory.dmp

Filesize
8KB

Download
memory/2044-81-0x0000000000400000-0x00000000007DE000-memory.dmp

Filesize
3.9MB

Download
memory/2044-82-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-85-0x0000000000400000-0x00000000007DE000-memory.dmp

Filesize
3.9MB

Download
memory/2044-86-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download