Analysis
-
max time kernel
153s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
Resource
win10v2004-20221111-en
General
-
Target
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe
-
Size
110KB
-
MD5
a7af90f5da509415d3e03b2636628529
-
SHA1
ab5f9294f77211bce8c0860964ef0408eeccf9f5
-
SHA256
e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
-
SHA512
02e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
SSDEEP
3072:ch6Jsu7EQ7qOIx4J2vNbGfvGnd3gW5ZM4/us:+0V7EQ7GNdndPZMTs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\epgoenfr\\mvxboqoi.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1472 ebvvtsqoipirywfk.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvxboqoi.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvxboqoi.exe svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MvxBoqoi = "C:\\Users\\Admin\\AppData\\Local\\epgoenfr\\mvxboqoi.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe Token: SeDebugPrivilege 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe Token: SeSecurityPrivilege 1968 svchost.exe Token: SeSecurityPrivilege 1528 svchost.exe Token: SeDebugPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeSecurityPrivilege 1472 ebvvtsqoipirywfk.exe Token: SeLoadDriverPrivilege 1472 ebvvtsqoipirywfk.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe Token: SeBackupPrivilege 1528 svchost.exe Token: SeRestorePrivilege 1528 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1968 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 26 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1528 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 27 PID 1488 wrote to memory of 1472 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 28 PID 1488 wrote to memory of 1472 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 28 PID 1488 wrote to memory of 1472 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 28 PID 1488 wrote to memory of 1472 1488 e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe"C:\Users\Admin\AppData\Local\Temp\e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe"C:\Users\Admin\AppData\Local\Temp\ebvvtsqoipirywfk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845
-
Filesize
110KB
MD5a7af90f5da509415d3e03b2636628529
SHA1ab5f9294f77211bce8c0860964ef0408eeccf9f5
SHA256e3c799397c7e076d9e1d69ed46a093fb6bf46f08146f088a022a6a2d5a4abce2
SHA51202e9d40d28bef9cf976342cdc19bc0b5081bf87ab2fc57b792201f3a57a6595f38f2e4fda31610687e5f621dc446dc14b92fee6c7c5eb8aff878cdc31fb90845