4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055

Analysis

max time kernel
124s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
Size

609KB
MD5

ca1fffc3f9fe24ccc4f143a62e570712
SHA1

e7db9f0655f9eaa7dd243c20ee94f5463ba75165
SHA256

4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055
SHA512

ddc8ca6c3e57b32d7f205341b94cedbaf3ab9fab63ad77802babaec250b3b1d7a89eb86fd37ff14f303a78507f9f3073ec1cb43a0199035163e0634d04fe3d94
SSDEEP

12288:my7U3urTDV/Omeo8huhYO7ZPtCXYMgin0sYKnGL07tWRYKBT7tSyape:my7UMZ/OV0v7RQ/1n0BKa0I6KR2A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
952	Á¬°´XÁ¬·¢.exe
1412	Server.exe
532	mspaint.ini

Loads dropped DLL 10 IoCs

pid	Process
864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
952	Á¬°´XÁ¬·¢.exe
952	Á¬°´XÁ¬·¢.exe
864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
952	Á¬°´XÁ¬·¢.exe
1412	Server.exe
1412	Server.exe
1412	Server.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\mspaint.ini	Server.exe
File opened for modification	C:\Windows\mspaint.ini	Server.exe
File created	C:\Windows\uninstal.bat	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	Server.exe
Token: SeDebugPrivilege	532	mspaint.ini

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
952	Á¬°´XÁ¬·¢.exe
952	Á¬°´XÁ¬·¢.exe
532	mspaint.ini
952	Á¬°´XÁ¬·¢.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
952	Á¬°´XÁ¬·¢.exe
952	Á¬°´XÁ¬·¢.exe
952	Á¬°´XÁ¬·¢.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	Á¬°´XÁ¬·¢.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 952	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	27
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 864 wrote to memory of 1412	864	4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe	28
PID 532 wrote to memory of 648	532	mspaint.ini	30
PID 532 wrote to memory of 648	532	mspaint.ini	30
PID 532 wrote to memory of 648	532	mspaint.ini	30
PID 532 wrote to memory of 648	532	mspaint.ini	30
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31
PID 1412 wrote to memory of 1888	1412	Server.exe	31

C:\Users\Admin\AppData\Local\Temp\4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe
"C:\Users\Admin\AppData\Local\Temp\4246008da17370ad7c33a9b9d4c1406b76e7ea5b92d3aaebb022fe98be1d1055.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe
  "C:\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1888

C:\Windows\mspaint.ini
C:\Windows\mspaint.ini
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:532
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
C:\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
C:\Windows\mspaint.ini

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
C:\Windows\mspaint.ini

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
C:\Windows\uninstal.bat

Filesize
138B

MD5
108384deb7a65165fecad26c7a858e73

SHA1
72c2c562d4d2ce1ff9e09f89cffb21e8826b6aa0

SHA256
0a1c04dc426f3545e0a34a9a919dcd8203af726bf8cd1b7516b39f8faf43ada9

SHA512
6bee8f82c61e906a767f6710ca81d05961e8d1790c14447312721a09742a462751c860e483fad6ce89edc0018bcbeab021e882eae181c8cfbef23f7bc97fbff4

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
743KB

MD5
00257c9de12e366b216f86103fb665ce

SHA1
4c66574736799b1d79eb5e43e181a55aeb82df1b

SHA256
ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

SHA512
7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

Download Submit
\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
\Users\Admin\AppData\Local\Temp\Á¬°´XÁ¬·¢.exe

Filesize
440KB

MD5
34625138ff3db980db29a7fe833f3dc1

SHA1
7d0be39f782e4cd60e04fe0544e01ce581c0e20b

SHA256
7234c53fd6e66c6552294a38329af20624359abe353c2936abd411574a1ff05b

SHA512
777f376f724cc7ae475a23e1243e336e6c2939518ea7c744610104f9c11ae2d58516568a3265da63b1a3f7bb394209c9448e25c460eb7a40f6225d8672783596

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download