8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7

Analysis

max time kernel
245s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
Size

318KB
MD5

61f84d66a5a17e167e13a201330e59ee
SHA1

0b926845df78fdf81b4b8374d92a317862f41f3d
SHA256

8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7
SHA512

d13aa2cd5ae16fdf260f8c5df14696ef20369fada5f95c73e49b92d245207da3b649b534f8d5358bd08c7aa282df4bb7fae00994ddc51af64ad654e66b9d9183
SSDEEP

6144:P5BogeiM5RyVZts3UfNKUqeMiZRKNgMLcbxKkajReYYl1rdVvxf6sh/////P:RzimeUljqvsRKNgDKk6RPYl1TvxZh//X

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1928	EA_Keygen.exe
1780	zero.exe
888	win87.exe
1728	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
1780	zero.exe
1780	zero.exe
888	win87.exe
888	win87.exe
888	win87.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI69 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI46.exe\""	zero.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	win87.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	win87.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zero.exe	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 888	1780	zero.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1928	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	27
PID 1192 wrote to memory of 1928	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	27
PID 1192 wrote to memory of 1928	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	27
PID 1192 wrote to memory of 1928	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	27
PID 1192 wrote to memory of 1780	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	28
PID 1192 wrote to memory of 1780	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	28
PID 1192 wrote to memory of 1780	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	28
PID 1192 wrote to memory of 1780	1192	8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe	28
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 1780 wrote to memory of 888	1780	zero.exe	30
PID 888 wrote to memory of 1728	888	win87.exe	31
PID 888 wrote to memory of 1728	888	win87.exe	31
PID 888 wrote to memory of 1728	888	win87.exe	31
PID 888 wrote to memory of 1728	888	win87.exe	31

C:\Users\Admin\AppData\Local\Temp\8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe
"C:\Users\Admin\AppData\Local\Temp\8fc537037970b6891bd1e5537ee192ab128fb2a95d7087758af6033d9c3e8de7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\SysWOW64\zero.exe
  "C:\Windows\system32\zero.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\win87.exe
    C:\Users\Admin\AppData\Local\Temp\win87.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EA_Keygen.exe

Filesize
97KB

MD5
09bbea6a5f8ee12cbd3647ee74e2914a

SHA1
e6286aca0a7dbbdb507a66d55c19074049a1c197

SHA256
79afb5254ab3697e970cf6cdbd19e50993b593f4da60ff4fac5cc859ed4c2a69

SHA512
ca705ab0d8a01c23d4033acdd5125540b5a483a222bb2d6234b7becbfeb5630b9115c4307abbc1f6bae53fc63173ff50e3a6db30b147de3ae87a1e6372c3cbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
C:\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
\Users\Admin\AppData\Local\Temp\EA_Keygen.exe

Filesize
97KB

MD5
09bbea6a5f8ee12cbd3647ee74e2914a

SHA1
e6286aca0a7dbbdb507a66d55c19074049a1c197

SHA256
79afb5254ab3697e970cf6cdbd19e50993b593f4da60ff4fac5cc859ed4c2a69

SHA512
ca705ab0d8a01c23d4033acdd5125540b5a483a222bb2d6234b7becbfeb5630b9115c4307abbc1f6bae53fc63173ff50e3a6db30b147de3ae87a1e6372c3cbb3

Download Submit
\Users\Admin\AppData\Local\Temp\EA_Keygen.exe

Filesize
97KB

MD5
09bbea6a5f8ee12cbd3647ee74e2914a

SHA1
e6286aca0a7dbbdb507a66d55c19074049a1c197

SHA256
79afb5254ab3697e970cf6cdbd19e50993b593f4da60ff4fac5cc859ed4c2a69

SHA512
ca705ab0d8a01c23d4033acdd5125540b5a483a222bb2d6234b7becbfeb5630b9115c4307abbc1f6bae53fc63173ff50e3a6db30b147de3ae87a1e6372c3cbb3

Download Submit
\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Local\Temp\win87.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
\Windows\SysWOW64\zero.exe

Filesize
212KB

MD5
c377c795f14dd65ca919fc1108f45197

SHA1
fe1efbc85d7acbf9ce78baeaa7fed29c31ba6409

SHA256
f4a14fce3586992a80501155dbc57d6857cd82d5c33248168c6f8f9a5a084dd9

SHA512
276ab732c31f2f87c7b4cf3505878203a99d0b2e20534b9b5d78a281266f67c597b405a01b4be18600b77e37abb0059b345bb500b1afddea0ebb35c37b3b155c

Download Submit
memory/888-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-88-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-86-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1192-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1192-60-0x0000000002530000-0x0000000002581000-memory.dmp

Filesize
324KB

Download
memory/1192-59-0x0000000002530000-0x0000000002581000-memory.dmp

Filesize
324KB

Download
memory/1780-90-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-63-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1928-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1928-61-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download