b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec

Analysis

max time kernel
182s
max time network
193s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Size

833KB
MD5

37a81c2cb209704e0553693476eaf508
SHA1

985a4598ee04160dc04e40210e4c1ae6429ecdfd
SHA256

b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec
SHA512

d2acb33198cfffda5fe163f588e42649b9d98f076f96859f80d672935cf9470bb502fb944391eed2f6b48447bd3395d4c181829cd325493a64d9eb2acd3d49ea
SSDEEP

12288:kYDjlhlkyaS0iunBm1gCU6kvIqnnZ8uhqgr9sEs2EyhKh4Sf:k+5/0iunUzUBvIqnuusU3Sf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	winsdk.exe

Deletes itself 1 IoCs

pid	Process
940	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KeyBoardA.dat	winsdk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winsdk.exe	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
File opened for modification	C:\Program Files (x86)\winsdk.exe	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: 1	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeCreateTokenPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeAssignPrimaryTokenPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeLockMemoryPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeIncreaseQuotaPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeMachineAccountPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeTcbPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeSecurityPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeTakeOwnershipPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeLoadDriverPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeSystemProfilePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeSystemtimePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeProfSingleProcessPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeIncBasePriorityPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeCreatePagefilePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeCreatePermanentPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeBackupPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeRestorePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeShutdownPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeDebugPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeAuditPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeSystemEnvironmentPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeChangeNotifyPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeRemoteShutdownPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeUndockPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeSyncAgentPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeEnableDelegationPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeManageVolumePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeImpersonatePrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: SeCreateGlobalPrivilege	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
Token: 1	1148	winsdk.exe
Token: SeCreateTokenPrivilege	1148	winsdk.exe
Token: SeAssignPrimaryTokenPrivilege	1148	winsdk.exe
Token: SeLockMemoryPrivilege	1148	winsdk.exe
Token: SeIncreaseQuotaPrivilege	1148	winsdk.exe
Token: SeMachineAccountPrivilege	1148	winsdk.exe
Token: SeTcbPrivilege	1148	winsdk.exe
Token: SeSecurityPrivilege	1148	winsdk.exe
Token: SeTakeOwnershipPrivilege	1148	winsdk.exe
Token: SeLoadDriverPrivilege	1148	winsdk.exe
Token: SeSystemProfilePrivilege	1148	winsdk.exe
Token: SeSystemtimePrivilege	1148	winsdk.exe
Token: SeProfSingleProcessPrivilege	1148	winsdk.exe
Token: SeIncBasePriorityPrivilege	1148	winsdk.exe
Token: SeCreatePagefilePrivilege	1148	winsdk.exe
Token: SeCreatePermanentPrivilege	1148	winsdk.exe
Token: SeBackupPrivilege	1148	winsdk.exe
Token: SeRestorePrivilege	1148	winsdk.exe
Token: SeShutdownPrivilege	1148	winsdk.exe
Token: SeDebugPrivilege	1148	winsdk.exe
Token: SeAuditPrivilege	1148	winsdk.exe
Token: SeSystemEnvironmentPrivilege	1148	winsdk.exe
Token: SeChangeNotifyPrivilege	1148	winsdk.exe
Token: SeRemoteShutdownPrivilege	1148	winsdk.exe
Token: SeUndockPrivilege	1148	winsdk.exe
Token: SeSyncAgentPrivilege	1148	winsdk.exe
Token: SeEnableDelegationPrivilege	1148	winsdk.exe
Token: SeManageVolumePrivilege	1148	winsdk.exe
Token: SeImpersonatePrivilege	1148	winsdk.exe
Token: SeCreateGlobalPrivilege	1148	winsdk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
1148	winsdk.exe
1148	winsdk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1148	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	27
PID 304 wrote to memory of 1148	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	27
PID 304 wrote to memory of 1148	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	27
PID 304 wrote to memory of 1148	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	27
PID 304 wrote to memory of 940	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	28
PID 304 wrote to memory of 940	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	28
PID 304 wrote to memory of 940	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	28
PID 304 wrote to memory of 940	304	b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe	28

C:\Users\Admin\AppData\Local\Temp\b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe
"C:\Users\Admin\AppData\Local\Temp\b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304
- C:\Program Files (x86)\winsdk.exe
  "C:\Program Files (x86)\winsdk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec.exe"
  2⤵
  - Deletes itself
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winsdk.exe

Filesize
833KB

MD5
37a81c2cb209704e0553693476eaf508

SHA1
985a4598ee04160dc04e40210e4c1ae6429ecdfd

SHA256
b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec

SHA512
d2acb33198cfffda5fe163f588e42649b9d98f076f96859f80d672935cf9470bb502fb944391eed2f6b48447bd3395d4c181829cd325493a64d9eb2acd3d49ea

Download Submit
\Program Files (x86)\winsdk.exe

Filesize
833KB

MD5
37a81c2cb209704e0553693476eaf508

SHA1
985a4598ee04160dc04e40210e4c1ae6429ecdfd

SHA256
b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec

SHA512
d2acb33198cfffda5fe163f588e42649b9d98f076f96859f80d672935cf9470bb502fb944391eed2f6b48447bd3395d4c181829cd325493a64d9eb2acd3d49ea

Download Submit
\Program Files (x86)\winsdk.exe

Filesize
833KB

MD5
37a81c2cb209704e0553693476eaf508

SHA1
985a4598ee04160dc04e40210e4c1ae6429ecdfd

SHA256
b3ac6265b9feb6f4a1a76924b1523a74ec0ae8b1f2ab6b94e57478ae40f842ec

SHA512
d2acb33198cfffda5fe163f588e42649b9d98f076f96859f80d672935cf9470bb502fb944391eed2f6b48447bd3395d4c181829cd325493a64d9eb2acd3d49ea

Download Submit
memory/304-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/304-61-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-62-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download