eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe
Size

209KB
MD5

092e0add784eeba4e827cf6ba4974697
SHA1

6a99174453742da9593e5f5aa2322004329c0667
SHA256

eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34
SHA512

e6b8a49823bfc325f0efc2ad735fe514fe8ae49b8d00d4b1e3011f9ca9493a23746daf7d26c3d8e76aed6136516a5c8aebe88d10aac77e1fd91430ee78f68862
SSDEEP

6144:6/RS6GzafQElV3mmqzMvS6GzafQElV3mmqzC:6/RN48V3mm/N48V3mmp

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lhgllrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe

Executes dropped EXE 2 IoCs

pid	Process
1520	lhgllrn.exe
1360	wcsydrv.exe

Deletes itself 1 IoCs

pid	Process
1744	WScript.exe

Loads dropped DLL 4 IoCs

pid	Process
1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe
1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe
1520	lhgllrn.exe
1520	lhgllrn.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lhgllrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhgllrn.exe"	lhgllrn.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	lhgllrn.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	lhgllrn.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhgllrn.exe"	lhgllrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wcsydrv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	lhgllrn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1520	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	27
PID 1708 wrote to memory of 1520	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	27
PID 1708 wrote to memory of 1520	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	27
PID 1708 wrote to memory of 1520	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	27
PID 1708 wrote to memory of 1744	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	29
PID 1708 wrote to memory of 1744	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	29
PID 1708 wrote to memory of 1744	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	29
PID 1708 wrote to memory of 1744	1708	eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe	29
PID 1520 wrote to memory of 1360	1520	lhgllrn.exe	30
PID 1520 wrote to memory of 1360	1520	lhgllrn.exe	30
PID 1520 wrote to memory of 1360	1520	lhgllrn.exe	30
PID 1520 wrote to memory of 1360	1520	lhgllrn.exe	30

C:\Users\Admin\AppData\Local\Temp\eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe
"C:\Users\Admin\AppData\Local\Temp\eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\lhgllrn.exe
  "C:\Users\Admin\AppData\Local\Temp\lhgllrn.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
    "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    PID:1360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\msuh.vbs"
  2⤵
  - Deletes itself
  PID:1744

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\msuh.vbs

Filesize
243B

MD5
b6160dedcf4889d526e3d85bcab88a38

SHA1
77c51dd9842f498e7127e30e0c28973be3002237

SHA256
b7b50001b6c440cf3effb1ba837988eb9c69f24af1dd182f204c5e0ef23e7cf8

SHA512
8f64b1b924358955b4b16584f9cca7aece0c2aba776c517f6889ff3238a5ac63b55144bfa4458d92dfc6583760bcd3721412996a15578ea7b10f960c97c7836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14743.jpg

Filesize
21KB

MD5
5e5c1419a55626cbca3cd2c4e5a3ed85

SHA1
42332f0680952b3e111b63f3fee5c136c37bb40e

SHA256
a0b6f9568c975e9f11387c09c950853bc3df6feefce1f8cca65e765c100d435c

SHA512
849420c3df39e5940872b5d335757d79cb4f0f2b4a09d7798175f7f2e74200bfffd4675fbb5744c3a00afd860270de78b595b5eeba4d51f1ab9666840839ac10

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhgllrn.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhgllrn.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
\Users\Admin\AppData\Local\Temp\lhgllrn.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
\Users\Admin\AppData\Local\Temp\lhgllrn.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
64KB

MD5
3f568b3289dbe148de0562c0c82b99d9

SHA1
37ace7dbadb88e9c881c7df1761b443d4837c1a6

SHA256
00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

SHA512
0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

Download Submit
memory/1708-56-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads