Analysis
-
max time kernel
115s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe
Resource
win10v2004-20220812-en
General
-
Target
9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe
-
Size
1.2MB
-
MD5
cdd239261c9eaa47628f44764ec47a15
-
SHA1
c2eb853468b5d0f72e84063bbe9550c04ff725ef
-
SHA256
9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175
-
SHA512
86114d181488df21c4e612269c03d0ff21e12109eb89286cc9ddf43f0eece5c8679b4eb845eba6bce9c2724c259dd4a8ceab2aa51933f7e926bab84036df44e6
-
SSDEEP
24576:l+qiFBFy8EudGS2ILHZaGtWbbDydkesS7Ne74Uol0Bma1pGCIB+kiKNX1:l+qaDyUdN2IHsDydke5Ne7TfBPGCeWK3
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4748 7830.exe 1388 9754.exe 1532 9754.exe -
resource yara_rule behavioral2/files/0x0007000000022e29-133.dat upx behavioral2/files/0x0007000000022e29-134.dat upx behavioral2/memory/4748-135-0x0000000000400000-0x000000000050D000-memory.dmp upx behavioral2/memory/4748-137-0x0000000000400000-0x000000000050D000-memory.dmp upx behavioral2/files/0x0008000000022e29-143.dat upx behavioral2/files/0x0008000000022e29-144.dat upx behavioral2/memory/1388-145-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1388-153-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/files/0x0008000000022e29-152.dat upx -
Loads dropped DLL 1 IoCs
pid Process 1532 9754.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 1532 1388 9754.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 5 IoCs
Runs systeminfo.exe.
pid Process 224 systeminfo.exe 4256 systeminfo.exe 2300 systeminfo.exe 5072 systeminfo.exe 4140 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4408 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4408 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1532 9754.exe 1532 9754.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4292 wrote to memory of 4748 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 79 PID 4292 wrote to memory of 4748 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 79 PID 4292 wrote to memory of 4748 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 79 PID 4748 wrote to memory of 1600 4748 7830.exe 80 PID 4748 wrote to memory of 1600 4748 7830.exe 80 PID 4748 wrote to memory of 1600 4748 7830.exe 80 PID 1600 wrote to memory of 5072 1600 CMD.exe 82 PID 1600 wrote to memory of 5072 1600 CMD.exe 82 PID 1600 wrote to memory of 5072 1600 CMD.exe 82 PID 4292 wrote to memory of 1388 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 83 PID 4292 wrote to memory of 1388 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 83 PID 4292 wrote to memory of 1388 4292 9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe 83 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1388 wrote to memory of 1532 1388 9754.exe 84 PID 1600 wrote to memory of 4140 1600 CMD.exe 87 PID 1600 wrote to memory of 4140 1600 CMD.exe 87 PID 1600 wrote to memory of 4140 1600 CMD.exe 87 PID 1600 wrote to memory of 224 1600 CMD.exe 88 PID 1600 wrote to memory of 224 1600 CMD.exe 88 PID 1600 wrote to memory of 224 1600 CMD.exe 88 PID 1600 wrote to memory of 4256 1600 CMD.exe 89 PID 1600 wrote to memory of 4256 1600 CMD.exe 89 PID 1600 wrote to memory of 4256 1600 CMD.exe 89 PID 1600 wrote to memory of 2300 1600 CMD.exe 91 PID 1600 wrote to memory of 2300 1600 CMD.exe 91 PID 1600 wrote to memory of 2300 1600 CMD.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe"C:\Users\Admin\AppData\Local\Temp\9899ab77f544031ca59178e8c7c621a5a3353935a35b8f14f3bce03613247175.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\7830.exeC:\Users\Admin\AppData\Local\Temp\7830.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\CMD.exeCMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "C:\Users\Admin\AppData\Local\Temp\7830.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO4⤵
- Gathers system information
PID:5072
-
-
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO4⤵
- Gathers system information
PID:4140
-
-
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO4⤵
- Gathers system information
PID:224
-
-
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO4⤵
- Gathers system information
PID:4256
-
-
C:\Windows\SysWOW64\systeminfo.exeSYSTEMINFO4⤵
- Gathers system information
PID:2300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9754.exeC:\Users\Admin\AppData\Local\Temp\9754.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\9754.exeC:\Users\Admin\AppData\Local\Temp\9754.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x380 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
709KB
MD5a54ee9f6d1111e1c794acceffccb05df
SHA1a05ba55514cb2a7df0aaaf800132871aedfc9d21
SHA2560898caf13c8783ebbf38e67a9188951a84051414473a0185501a265c880e59d0
SHA5120cb75debbd816168bdd7d6bb4166119557b0b6a898e0b10ccc7d9967d1f709f9e4b9bd4ed6cf0019a5a61ee5fdbc6f91cfb2da52ea41719a68bbc80e0da28bc2
-
Filesize
709KB
MD5a54ee9f6d1111e1c794acceffccb05df
SHA1a05ba55514cb2a7df0aaaf800132871aedfc9d21
SHA2560898caf13c8783ebbf38e67a9188951a84051414473a0185501a265c880e59d0
SHA5120cb75debbd816168bdd7d6bb4166119557b0b6a898e0b10ccc7d9967d1f709f9e4b9bd4ed6cf0019a5a61ee5fdbc6f91cfb2da52ea41719a68bbc80e0da28bc2
-
Filesize
542KB
MD59c59ce7bb3271b5b4cf7bd564775f3da
SHA18acaebf87d0deffc0c4699ce0434b9a6b17a0899
SHA256775c5ad59e001e49c5da5aedec68adf60af6152446d2257c8cb96695bd2be227
SHA512dde5b242253849d29e78a934727f04c62ad10e16a34c70aae25c3745cce76c52c477fc463af30a4d0736f26155abb1510d2d4c106730534e267efd6e708f3bd8
-
Filesize
542KB
MD59c59ce7bb3271b5b4cf7bd564775f3da
SHA18acaebf87d0deffc0c4699ce0434b9a6b17a0899
SHA256775c5ad59e001e49c5da5aedec68adf60af6152446d2257c8cb96695bd2be227
SHA512dde5b242253849d29e78a934727f04c62ad10e16a34c70aae25c3745cce76c52c477fc463af30a4d0736f26155abb1510d2d4c106730534e267efd6e708f3bd8
-
Filesize
542KB
MD59c59ce7bb3271b5b4cf7bd564775f3da
SHA18acaebf87d0deffc0c4699ce0434b9a6b17a0899
SHA256775c5ad59e001e49c5da5aedec68adf60af6152446d2257c8cb96695bd2be227
SHA512dde5b242253849d29e78a934727f04c62ad10e16a34c70aae25c3745cce76c52c477fc463af30a4d0736f26155abb1510d2d4c106730534e267efd6e708f3bd8
-
Filesize
33KB
MD5e4ec57e8508c5c4040383ebe6d367928
SHA1b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA2568ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA51277d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822