501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
Size

743KB
MD5

149e86fc124eb1dbe400281d2bcd3b00
SHA1

571a30f7204da2479ad565f0e7ee236744662323
SHA256

501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7
SHA512

63d566764874644796e6141232e45d179186bdadb7f61e0e95ca62fd801ccd05e1ac0281220dcb6733ccc00e372db638e33409da37b3592a81c80810cb41866f
SSDEEP

12288:W/5pooFT7xMgKvLvruqQ5+uWXdyFlQh9FRvJQSVc0xK7gTENep0P:Wxm+xMRvLvXduVI/T0gTvp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1352	tmp.exe
740	R_Server.exe

Deletes itself 1 IoCs

pid	Process
944	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe
1352	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	R_Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1352	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	26
PID 1404 wrote to memory of 1352	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	26
PID 1404 wrote to memory of 1352	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	26
PID 1404 wrote to memory of 1352	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	26
PID 1404 wrote to memory of 740	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	27
PID 1404 wrote to memory of 740	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	27
PID 1404 wrote to memory of 740	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	27
PID 1404 wrote to memory of 740	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	27
PID 1404 wrote to memory of 944	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	28
PID 1404 wrote to memory of 944	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	28
PID 1404 wrote to memory of 944	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	28
PID 1404 wrote to memory of 944	1404	501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe	28

C:\Users\Admin\AppData\Local\Temp\501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe
"C:\Users\Admin\AppData\Local\Temp\501f6a8514fbc0618b31fd21122e6ac6562aca318a3d90f5ccb3ed174cd9cea7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe" -NetStat
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
30.7MB

MD5
1e95520b9220d8c36a7bb05df4dcf1ef

SHA1
e5ec5e86192b515ea027266fba106fdd6367f004

SHA256
eff07d3e9248c3d128c5fe084e59b410467638cc1e8173e85bcc02860482a297

SHA512
89125104d84b1b8cb0d812b19f2c91d554d401ef0024b7ae99c33a7f38c99aa4218ed4adc19c3016f5c27ed6f61bae3dd848b5ffa0c7d716578083c494bfb39b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe

Filesize
30.0MB

MD5
61910644e9560ebea70adc93af6c7f9e

SHA1
e110bafedefb8db4b092349c5412367fe3669422

SHA256
0145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853

SHA512
fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488

Download Submit
C:\Windows\SysWOW64\Deleteme.bat

Filesize
254B

MD5
4396fd32caadd3ebd84b7a7c319012e7

SHA1
ce6bc22f479e83deebdcc6433a2b77cf8424ef0b

SHA256
7cb5f57158574bda4a577faf71a04561967da0a31dbd2463d060e9a3b6d46348

SHA512
313b771392cb8b07548b71cbfa8db6a106227a0466534af821df374eb525e724c1fc79d4bc555b66f3442ef8583e5b9d28782d80e7aed2471d637bdfb920ba6b

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
30.7MB

MD5
1e95520b9220d8c36a7bb05df4dcf1ef

SHA1
e5ec5e86192b515ea027266fba106fdd6367f004

SHA256
eff07d3e9248c3d128c5fe084e59b410467638cc1e8173e85bcc02860482a297

SHA512
89125104d84b1b8cb0d812b19f2c91d554d401ef0024b7ae99c33a7f38c99aa4218ed4adc19c3016f5c27ed6f61bae3dd848b5ffa0c7d716578083c494bfb39b

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
30.7MB

MD5
1e95520b9220d8c36a7bb05df4dcf1ef

SHA1
e5ec5e86192b515ea027266fba106fdd6367f004

SHA256
eff07d3e9248c3d128c5fe084e59b410467638cc1e8173e85bcc02860482a297

SHA512
89125104d84b1b8cb0d812b19f2c91d554d401ef0024b7ae99c33a7f38c99aa4218ed4adc19c3016f5c27ed6f61bae3dd848b5ffa0c7d716578083c494bfb39b

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe

Filesize
30.0MB

MD5
61910644e9560ebea70adc93af6c7f9e

SHA1
e110bafedefb8db4b092349c5412367fe3669422

SHA256
0145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853

SHA512
fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe

Filesize
30.0MB

MD5
61910644e9560ebea70adc93af6c7f9e

SHA1
e110bafedefb8db4b092349c5412367fe3669422

SHA256
0145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853

SHA512
fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488

Download Submit
memory/1404-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download