cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556

Analysis

max time kernel
146s
max time network
128s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe
Size

189KB
MD5

193bb9c959855c3a8356d58196cb5a10
SHA1

d749dd058fdf6e7c1606be6faff54877b470993d
SHA256

cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556
SHA512

038e9a72af90c35f95b2534caef5f2b9950da841c83c139a4a9ca35bba50f600a997a90e708ee1a5c79929f07c9933743f594dcb50cfa0c298b8886d801dd2f4
SSDEEP

1536:UnLAU/dliWszl/LgIU5pOKBWeEdkU5q/OwHFkNPIAjWdRJo7:U5/zRwPUnO+WrkU5fwqIAjuRJo7

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\windows\\system32\\Isass.exe"	canine.exe

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	canine.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	canine.exe
Key created	\REGISTRY\MACHINE\system\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	canine.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	canine.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\mskmwk.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\mskmwk.com"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
1496	server.exe
2044	canine.exe
1916	svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\StubPath = "C:\\Windows\\system32\\mskkgw.com"	svchost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/files/0x00140000000054ab-62.dat	upx
behavioral1/files/0x0007000000015c41-66.dat	upx
behavioral1/files/0x0007000000015c41-69.dat	upx
behavioral1/memory/1496-70-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x0006000000015c60-71.dat	upx
behavioral1/memory/1916-72-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe
812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe
812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe
812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	canine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnLab V3Lite Tray Process = "C:Program FilesAhnLabV3LiteV3LTray.exe /stop"	canine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ALYac = "C:Program FilesESTsoftALYacAYUpdate.exe /stop"	canine.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mskkgw.com	server.exe
File created	C:\Windows\SysWOW64\mskkgw.com	server.exe
File opened for modification	C:\Windows\SysWOW64\mskkgw.com	svchost.exe
File created	C:\Windows\SysWOW64\mskkgw.com	svchost.exe
File created	C:\Windows\SysWOW64\mslg.blf	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\mskmwk.com	svchost.exe
File created	C:\Windows\msagent\mskmwk.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	server.exe
File created	C:\Windows\svchost.exe	server.exe
File opened for modification	C:\Windows\msagent\mskmwk.com	server.exe
File created	C:\Windows\msagent\mskmwk.com	server.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	svchost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1496	server.exe
Token: SeSecurityPrivilege	1496	server.exe
Token: SeTakeOwnershipPrivilege	1496	server.exe
Token: SeLoadDriverPrivilege	1496	server.exe
Token: SeSystemProfilePrivilege	1496	server.exe
Token: SeSystemtimePrivilege	1496	server.exe
Token: SeProfSingleProcessPrivilege	1496	server.exe
Token: SeIncBasePriorityPrivilege	1496	server.exe
Token: SeCreatePagefilePrivilege	1496	server.exe
Token: SeBackupPrivilege	1496	server.exe
Token: SeRestorePrivilege	1496	server.exe
Token: SeShutdownPrivilege	1496	server.exe
Token: SeDebugPrivilege	1496	server.exe
Token: SeSystemEnvironmentPrivilege	1496	server.exe
Token: SeRemoteShutdownPrivilege	1496	server.exe
Token: SeUndockPrivilege	1496	server.exe
Token: SeManageVolumePrivilege	1496	server.exe
Token: 33	1496	server.exe
Token: 34	1496	server.exe
Token: 35	1496	server.exe
Token: SeIncreaseQuotaPrivilege	1916	svchost.exe
Token: SeSecurityPrivilege	1916	svchost.exe
Token: SeTakeOwnershipPrivilege	1916	svchost.exe
Token: SeLoadDriverPrivilege	1916	svchost.exe
Token: SeSystemProfilePrivilege	1916	svchost.exe
Token: SeSystemtimePrivilege	1916	svchost.exe
Token: SeProfSingleProcessPrivilege	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: SeCreatePagefilePrivilege	1916	svchost.exe
Token: SeBackupPrivilege	1916	svchost.exe
Token: SeRestorePrivilege	1916	svchost.exe
Token: SeShutdownPrivilege	1916	svchost.exe
Token: SeDebugPrivilege	1916	svchost.exe
Token: SeSystemEnvironmentPrivilege	1916	svchost.exe
Token: SeRemoteShutdownPrivilege	1916	svchost.exe
Token: SeUndockPrivilege	1916	svchost.exe
Token: SeManageVolumePrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: 34	1916	svchost.exe
Token: 35	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe
Token: 33	1916	svchost.exe
Token: SeIncBasePriorityPrivilege	1916	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1496	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	27
PID 812 wrote to memory of 1496	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	27
PID 812 wrote to memory of 1496	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	27
PID 812 wrote to memory of 1496	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	27
PID 812 wrote to memory of 2044	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	28
PID 812 wrote to memory of 2044	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	28
PID 812 wrote to memory of 2044	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	28
PID 812 wrote to memory of 2044	812	cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe	28
PID 1496 wrote to memory of 1916	1496	server.exe	29
PID 1496 wrote to memory of 1916	1496	server.exe	29
PID 1496 wrote to memory of 1916	1496	server.exe	29
PID 1496 wrote to memory of 1916	1496	server.exe	29
PID 1496 wrote to memory of 1828	1496	server.exe	30
PID 1496 wrote to memory of 1828	1496	server.exe	30
PID 1496 wrote to memory of 1828	1496	server.exe	30
PID 1496 wrote to memory of 1828	1496	server.exe	30

C:\Users\Admin\AppData\Local\Temp\cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe
"C:\Users\Admin\AppData\Local\Temp\cd826c05fd2518d345d97e67783810e5da1f6d0037574648e1d87f9de4815556.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\#3#.bat
    3⤵
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\canine.exe
  "C:\Users\Admin\AppData\Local\Temp\canine.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#3#.bat

Filesize
128B

MD5
7e7020f74572c0b6dda0b02da417c45d

SHA1
bd867a90126843ea2e318d61d9f29f29c9e7694d

SHA256
826e3ca2c1abf89a3819169453a7861782b682aa6fa58611039b7b06eec3b4b6

SHA512
daf95093d8896edd6dfd99a3bb95b8518f8703f146a48638001a7eb6ae4eae1eb9ff51bbbcf6e534762cd25adf1387250101096f00717db616b1e845a7e783b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\canine.exe

Filesize
152KB

MD5
659c0b65f51e018317d5e575cda56dfe

SHA1
4bed23ce63efcdba9dbb627bfdc99970d8cf17f3

SHA256
731aa6a0b371801b2b2e6fd83d6a91f6ba1c0505928fa611b995240c9d74a8ae

SHA512
131e5507502b8cd6aa7fa1cedf45b4f7c866effc5ea2ac24160c37e3c8f280d2fa5f79ab2fce3a6186798c652688731917bc35392a1c80972a3e8fc0613b923a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
C:\Windows\SysWOW64\mskkgw.com

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
C:\Windows\svchost.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
\Users\Admin\AppData\Local\Temp\canine.exe

Filesize
152KB

MD5
659c0b65f51e018317d5e575cda56dfe

SHA1
4bed23ce63efcdba9dbb627bfdc99970d8cf17f3

SHA256
731aa6a0b371801b2b2e6fd83d6a91f6ba1c0505928fa611b995240c9d74a8ae

SHA512
131e5507502b8cd6aa7fa1cedf45b4f7c866effc5ea2ac24160c37e3c8f280d2fa5f79ab2fce3a6186798c652688731917bc35392a1c80972a3e8fc0613b923a

Download Submit
\Users\Admin\AppData\Local\Temp\canine.exe

Filesize
152KB

MD5
659c0b65f51e018317d5e575cda56dfe

SHA1
4bed23ce63efcdba9dbb627bfdc99970d8cf17f3

SHA256
731aa6a0b371801b2b2e6fd83d6a91f6ba1c0505928fa611b995240c9d74a8ae

SHA512
131e5507502b8cd6aa7fa1cedf45b4f7c866effc5ea2ac24160c37e3c8f280d2fa5f79ab2fce3a6186798c652688731917bc35392a1c80972a3e8fc0613b923a

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
30KB

MD5
42629a48ef89d2ed798d4b61864c4e5e

SHA1
dabf6abdca968f00d6d1b08b27370a52d4cbfd2c

SHA256
ee7515305b2217a6690fb631d6c41f78e28978f54935791829e78801bc2938f0

SHA512
ce1f256a9a240a3702e23c048488950732d75002855b2df1a63cea9be8c8c657979910377baa4321e7743f1725cfca14f50ccfbdbeddaa94136af88afa586ef0

Download Submit
memory/812-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1496-70-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads