b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
Size

403KB
MD5

6d324273dc71b77d6f52b940d1b78cec
SHA1

dbc9df026debf771fa77e7a09fd82794f4c286a9
SHA256

b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9
SHA512

f49ab55fe33b267391e7821f9ca1945830c3d50c167a661483a84c381b50a7333e8541c9d27fc0ec2ce445b2a28324e20bb47f7030cca56b2a8b7231079e1a93
SSDEEP

6144:UKwLo7Np0yN90QEcjyKzwMk2v9CrruNcT72iJK52M9vOE/VzZ:QLocy90ek2IFT752l/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2000	ppi.exe
964	ppi.exe
1816	1.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\{PRIN68O9-OVFW-ABYP-YZDF-62QKRREPBZLF}	ppi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\{PRIN68O9-OVFW-ABYP-YZDF-62QKRREPBZLF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	ppi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PRIN68O9-OVFW-ABYP-YZDF-62QKRREPBZLF}	ppi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PRIN68O9-OVFW-ABYP-YZDF-62QKRREPBZLF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	ppi.exe

Loads dropped DLL 7 IoCs

pid	Process
1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
2000	ppi.exe
2000	ppi.exe
964	ppi.exe
1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
1816	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	ppi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Exp = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	ppi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 964	2000	ppi.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2000	ppi.exe
964	ppi.exe
1816	1.exe
1816	1.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 1220 wrote to memory of 2000	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	26
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 964	2000	ppi.exe	27
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 2000 wrote to memory of 1152	2000	ppi.exe	28
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30
PID 1220 wrote to memory of 1816	1220	b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe	30

C:\Users\Admin\AppData\Local\Temp\b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe
"C:\Users\Admin\AppData\Local\Temp\b475ca701f0bfe8e2ad245eee62ccbb3c696276bc7a58df1dff5d61cae7fe3c9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEzMzq89Avx.bat" "
    3⤵
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IEzMzq89Avx.bat

Filesize
193B

MD5
19263af0f56aab4f47a2881b5e17a259

SHA1
7175b11bdbf0c3f9f89bd38f68e953be1238d232

SHA256
a0525a5968119b7550e6a0b4205dbb696f82cde9ef806691998296a118e73efd

SHA512
8ba7da0eb67643f446040c14233505e4697cc710c45282d0a3df7fdac65065e61ddb872443cb4f9581d61cc94f7e4c013cd4c0b00a290bdbe6cbbdd511da6b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
480KB

MD5
1a5a851118b9e731ad47dd66fe703a00

SHA1
37d943d7ab96f9f0fb9197d8dc8232fc1fbd040c

SHA256
8b88cc00ecdae6e39190d38f2fe9c834be9c8e786e8cd466ddd2f04aa40d1abf

SHA512
589b44b66104700bd55d483a9dd8f166d03fbab6848d8230d6f57e2f6657a75ac4aa2efc56c66b4b51bef78b6b4da2186cdc39922ed271f6d90c508d6ceb38e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
480KB

MD5
1a5a851118b9e731ad47dd66fe703a00

SHA1
37d943d7ab96f9f0fb9197d8dc8232fc1fbd040c

SHA256
8b88cc00ecdae6e39190d38f2fe9c834be9c8e786e8cd466ddd2f04aa40d1abf

SHA512
589b44b66104700bd55d483a9dd8f166d03fbab6848d8230d6f57e2f6657a75ac4aa2efc56c66b4b51bef78b6b4da2186cdc39922ed271f6d90c508d6ceb38e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
480KB

MD5
1a5a851118b9e731ad47dd66fe703a00

SHA1
37d943d7ab96f9f0fb9197d8dc8232fc1fbd040c

SHA256
8b88cc00ecdae6e39190d38f2fe9c834be9c8e786e8cd466ddd2f04aa40d1abf

SHA512
589b44b66104700bd55d483a9dd8f166d03fbab6848d8230d6f57e2f6657a75ac4aa2efc56c66b4b51bef78b6b4da2186cdc39922ed271f6d90c508d6ceb38e9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
480KB

MD5
1a5a851118b9e731ad47dd66fe703a00

SHA1
37d943d7ab96f9f0fb9197d8dc8232fc1fbd040c

SHA256
8b88cc00ecdae6e39190d38f2fe9c834be9c8e786e8cd466ddd2f04aa40d1abf

SHA512
589b44b66104700bd55d483a9dd8f166d03fbab6848d8230d6f57e2f6657a75ac4aa2efc56c66b4b51bef78b6b4da2186cdc39922ed271f6d90c508d6ceb38e9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
408KB

MD5
5078c53950cb639359527921a9392acd

SHA1
aa2fb044cc10dd9166d5e748d762837c625332b3

SHA256
03204b0c36ea35821073de5cf11d506e13626c9637224c8f241cfa82cb3f5885

SHA512
838af859add381dcf7e3245909b0420576c0b6de2d1588d3fbf496a409a028d5aa36d63f2315b1d57fa1d5f19fc50632d5fefb59f445b9c2fb01426c8d26d396

Download Submit
memory/964-72-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/964-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/964-83-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1220-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads