798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Size

56KB
MD5

05c4389c881e46717dca51c4068379e0
SHA1

eea556f014b2eb41be1514e1d3a25765fef96999
SHA256

798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b
SHA512

d35d84903b43da396dab9872d62471bca1d9cad4920980c712639b1ed02c2078e608acb7374fbe45141a987699876bc3d8a197c6038e82960b829261e2fd7dd5
SSDEEP

1536:9OhCVsQ3KMfwM2aU8F78Pw4ASDVIIpyaxfC:9zVsQtEyo49UUaRC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1612	XXX.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
1612	XXX.exe
1612	XXX.exe
1612	XXX.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\LHL13.sys	XXX.exe
File created	C:\Program files\MSDN\000000001	XXX.exe
File opened for modification	C:\Program files\MSDN\000000001	XXX.exe
File created	C:\Program files\MSDN\hehex.sys	XXX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1612	XXX.exe
1612	XXX.exe
1612	XXX.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
460	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeAuditPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeBackupPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeChangeNotifyPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreatePagefilePrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreatePermanentPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeCreateTokenPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeDebugPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeIncBasePriorityPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeIncreaseQuotaPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeLoadDriverPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeLockMemoryPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeProfSingleProcessPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeRemoteShutdownPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeRestorePrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSecurityPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeShutdownPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemEnvironmentPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemProfilePrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeSystemtimePrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeTakeOwnershipPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeTcbPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeMachineAccountPrivilege	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
Token: SeDebugPrivilege	1612	XXX.exe
Token: SeDebugPrivilege	1612	XXX.exe
Token: SeDebugPrivilege	1612	XXX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 2032 wrote to memory of 1612	2032	798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe	27
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 316	1612	XXX.exe	28
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15
PID 1612 wrote to memory of 1268	1612	XXX.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe
  "C:\Users\Admin\AppData\Local\Temp\798dbf16c60e2e96121753c6e399345f10d1f96cc60c19a13b572c317ec6106b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\XXX.exe
    C:\Users\Admin\AppData\Local\Temp\\XXX.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c time 04:18:00
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
      4⤵
      PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
130B

MD5
76fdf98d3292f1c7e18a0fe0a9e969e0

SHA1
e15b44f089e04657fc3267b62fb6570d926339dc

SHA256
438f9468c12c57235ed31422efb2b1d4bd55de5172b4b9893b0c8df334079cec

SHA512
c17bec0c6b044e2aa392d445a6417446e3b63a4503455198522bbae1c438ea19775c1ba9fc75cd62b123b2234231c17021ef3ba894659fdffb905054251dbeb5

Download Submit
\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
\Users\Admin\AppData\Local\Temp\XXX.exe

Filesize
35KB

MD5
d2779044769d61434d960358dadb8058

SHA1
14554925cb01d0eabf390a611946e4dbd618d584

SHA256
c34db1617b52ded90409c3e08bafa0c70d20a450b20aba5da41e609c2f4cdf3e

SHA512
6460360d20d217c6f33b332029761663218984a957ef228894026da1d82e2d49b6f1dfef75c498188516770d68fbc2c4790e3bbf08d50b0f6eaeedb5807b9c36

Download Submit
memory/1268-91-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-80-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-66-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-65-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-67-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-68-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-70-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-69-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-72-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-71-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-73-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-74-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-76-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-75-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-77-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-78-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-79-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-96-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-81-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-82-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-84-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-83-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-85-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-86-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-87-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-88-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-89-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-90-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-92-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-64-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-93-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-94-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-63-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-98-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-95-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-97-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-99-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-100-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-102-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-101-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-103-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-104-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-106-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-105-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-108-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-107-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-109-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-110-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-112-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-111-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-113-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-114-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-116-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-115-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-117-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-118-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-120-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-119-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-121-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-122-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-124-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-123-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1268-125-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/1612-57-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1612-62-0x0000000000390000-0x0000000000395000-memory.dmp

Filesize
20KB

Download