ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7

Analysis

max time kernel
152s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 21:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
Size

91KB
MD5

838cfe5af1d40b985ca4362388bcd628
SHA1

77f3b73cf9d986ea69d5910f1a62c7aa3e8d7ae9
SHA256

ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7
SHA512

6ba33713d55eb2d1623245ace0346588c26327ce6db18af03ddf8592b188c2b1bf2e2068f991867f34837062f5696ae34cec868ee02542f681e284ccb94fc4f2
SSDEEP

1536:MIyFO74DBkjsrAWfFYx4kLcG44GlcCg2J1i7uEGL+nMDQDbfDa/9iU/7bhy:MI/rsE3XcG4cC5iqE8+m8bci

Score

8^/10

persistence upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	iis.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	iis.exe
112	Wm_server.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MediaCenter\Parameters\ServiceDll = "C:\\Windows\\system32\\RrmwtnC.dll"	iis.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/files/0x000c0000000054a8-60.dat	upx
behavioral1/memory/1952-68-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-73.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000001413c-61.dat	vmprotect
behavioral1/files/0x000600000001413c-69.dat	vmprotect
behavioral1/files/0x000600000001413c-70.dat	vmprotect

Loads dropped DLL 6 IoCs

pid	Process
284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
1952	iis.exe
284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
2004	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RrmwtnC.dll	iis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1952	iis.exe
1952	iis.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	iis.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 1952	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	27
PID 284 wrote to memory of 1952	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	27
PID 284 wrote to memory of 1952	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	27
PID 284 wrote to memory of 1952	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	27
PID 284 wrote to memory of 112	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	28
PID 284 wrote to memory of 112	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	28
PID 284 wrote to memory of 112	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	28
PID 284 wrote to memory of 112	284	ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe	28
PID 1952 wrote to memory of 1772	1952	iis.exe	31
PID 1952 wrote to memory of 1772	1952	iis.exe	31
PID 1952 wrote to memory of 1772	1952	iis.exe	31
PID 1952 wrote to memory of 1772	1952	iis.exe	31

C:\Users\Admin\AppData\Local\Temp\ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe
"C:\Users\Admin\AppData\Local\Temp\ec44454a66c9604d5a4e94cea74b8549752df2ac7cc96210aa5eaeef9db171a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284
- C:\Users\Admin\AppData\Local\Temp\iis.exe
  "C:\Users\Admin\AppData\Local\Temp\iis.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\iis.exe > nul
    3⤵
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\Wm_server.exe
  "C:\Users\Admin\AppData\Local\Temp\Wm_server.exe"
  2⤵
  - Executes dropped EXE
  PID:112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:1992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wm_server.exe

Filesize
35KB

MD5
c321dc28c479f75f6dabb592361cb0e2

SHA1
15cb538de77ac676ba5c54aed50fbab69b1899c2

SHA256
822e94531f8efaf4d35dfdd512eb261791ee4df88b730567ee22a3a86e621ed5

SHA512
cf7de8b951d8d4ce3b61a3e730bfd0a197bf6daa3139471cea19abcc56851d079cb1d450f871026e7e9a97643d66b079aeb8a6360f7f43c00fe54b61c560e821

Download Submit
C:\Users\Admin\AppData\Local\Temp\iis.exe

Filesize
51KB

MD5
62c65b8abe56f864b2c7e97ef3e1c84b

SHA1
59b9cec9fb18fccdd94e0caafc77b31cb7e98141

SHA256
139c868446a45dc20b8b3cbebf461d697efd738ed25edb3bed67bfcff91f6566

SHA512
f06a25334731e06105ae61b15175bed9461574a2d859bb15e119e40125357f8e08702f1990df9e379a77e2e697418df2959ecd29f6ba87d714888ed7413aa933

Download Submit
C:\Users\Admin\AppData\Local\Temp\iis.exe

Filesize
51KB

MD5
62c65b8abe56f864b2c7e97ef3e1c84b

SHA1
59b9cec9fb18fccdd94e0caafc77b31cb7e98141

SHA256
139c868446a45dc20b8b3cbebf461d697efd738ed25edb3bed67bfcff91f6566

SHA512
f06a25334731e06105ae61b15175bed9461574a2d859bb15e119e40125357f8e08702f1990df9e379a77e2e697418df2959ecd29f6ba87d714888ed7413aa933

Download Submit
\??\c:\windows\SysWOW64\rrmwtnc.dll

Filesize
73KB

MD5
53b88b63c65b3bd2d31f9cc4fca575bb

SHA1
d2954876a3df24559bfbba2080759596806f7b06

SHA256
7ea6d23a9f37230ad837944137d57b98d4f9a68f094de3d093b7cd8264c9bc9b

SHA512
1083844a5e94cedd1bf5c5e01c17f4bebbf200c21e24cbce5d2d80f3a3077b15cf604609c0077417e903d7b6322bbdca3b6bb01b044a677fcef885147da75052

Download Submit
\Users\Admin\AppData\Local\Temp\Wm_server.exe

Filesize
35KB

MD5
c321dc28c479f75f6dabb592361cb0e2

SHA1
15cb538de77ac676ba5c54aed50fbab69b1899c2

SHA256
822e94531f8efaf4d35dfdd512eb261791ee4df88b730567ee22a3a86e621ed5

SHA512
cf7de8b951d8d4ce3b61a3e730bfd0a197bf6daa3139471cea19abcc56851d079cb1d450f871026e7e9a97643d66b079aeb8a6360f7f43c00fe54b61c560e821

Download Submit
\Users\Admin\AppData\Local\Temp\Wm_server.exe

Filesize
35KB

MD5
c321dc28c479f75f6dabb592361cb0e2

SHA1
15cb538de77ac676ba5c54aed50fbab69b1899c2

SHA256
822e94531f8efaf4d35dfdd512eb261791ee4df88b730567ee22a3a86e621ed5

SHA512
cf7de8b951d8d4ce3b61a3e730bfd0a197bf6daa3139471cea19abcc56851d079cb1d450f871026e7e9a97643d66b079aeb8a6360f7f43c00fe54b61c560e821

Download Submit
\Users\Admin\AppData\Local\Temp\iis.exe

Filesize
51KB

MD5
62c65b8abe56f864b2c7e97ef3e1c84b

SHA1
59b9cec9fb18fccdd94e0caafc77b31cb7e98141

SHA256
139c868446a45dc20b8b3cbebf461d697efd738ed25edb3bed67bfcff91f6566

SHA512
f06a25334731e06105ae61b15175bed9461574a2d859bb15e119e40125357f8e08702f1990df9e379a77e2e697418df2959ecd29f6ba87d714888ed7413aa933

Download Submit
\Users\Admin\AppData\Local\Temp\iis.exe

Filesize
51KB

MD5
62c65b8abe56f864b2c7e97ef3e1c84b

SHA1
59b9cec9fb18fccdd94e0caafc77b31cb7e98141

SHA256
139c868446a45dc20b8b3cbebf461d697efd738ed25edb3bed67bfcff91f6566

SHA512
f06a25334731e06105ae61b15175bed9461574a2d859bb15e119e40125357f8e08702f1990df9e379a77e2e697418df2959ecd29f6ba87d714888ed7413aa933

Download Submit
\Windows\SysWOW64\RrmwtnC.dll

Filesize
73KB

MD5
53b88b63c65b3bd2d31f9cc4fca575bb

SHA1
d2954876a3df24559bfbba2080759596806f7b06

SHA256
7ea6d23a9f37230ad837944137d57b98d4f9a68f094de3d093b7cd8264c9bc9b

SHA512
1083844a5e94cedd1bf5c5e01c17f4bebbf200c21e24cbce5d2d80f3a3077b15cf604609c0077417e903d7b6322bbdca3b6bb01b044a677fcef885147da75052

Download Submit
\Windows\SysWOW64\RrmwtnC.dll

Filesize
73KB

MD5
53b88b63c65b3bd2d31f9cc4fca575bb

SHA1
d2954876a3df24559bfbba2080759596806f7b06

SHA256
7ea6d23a9f37230ad837944137d57b98d4f9a68f094de3d093b7cd8264c9bc9b

SHA512
1083844a5e94cedd1bf5c5e01c17f4bebbf200c21e24cbce5d2d80f3a3077b15cf604609c0077417e903d7b6322bbdca3b6bb01b044a677fcef885147da75052

Download Submit
memory/284-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/284-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/284-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/284-55-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/1952-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download