18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3

Analysis

max time kernel
186s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe
Size

1.0MB
MD5

5b6c66e563d58f109037893a00ec2597
SHA1

ce6305c94ab8a67ec6fac0e27fddf22c96a0e550
SHA256

18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3
SHA512

36b56994424b2d15690b681eae89d70618bf8905731c22ad647e566ba450172b5c9f543c38addb80b32ce350ca8ba0494ab4fafb1294cbd7582135cb4d77526d
SSDEEP

12288:oP97VMS8Btcq58JYuQmRR2geC/nEXn0vVybfitBZLr:SxVb83cq5wQmRQgeCvc0vVsiTLr

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tmpsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winlogon = "C:\\Windows\\system32\\syslg.exe"	tmpsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\status = "C:\\Windows\\system32\\syslg.exe"	tmpsetup.exe

Executes dropped EXE 4 IoCs

pid	Process
268	both.exe
1920	thsscan.exe
876	setuploader.exe
924	tmpsetup.exe

Loads dropped DLL 12 IoCs

pid	Process
268	both.exe
268	both.exe
268	both.exe
268	both.exe
268	both.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
268	both.exe
924	tmpsetup.exe
924	tmpsetup.exe
924	tmpsetup.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\syslg.exe	tmpsetup.exe
File opened for modification	C:\Windows\SysWOW64\syslg.exe	tmpsetup.exe
File created	C:\Windows\System32\ntfsv.exe	setuploader.exe
File opened for modification	C:\Windows\SysWOW64\ntfsv.exe	setuploader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe
876	setuploader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
924	tmpsetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
924	tmpsetup.exe
876	setuploader.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
268	both.exe
876	setuploader.exe
924	tmpsetup.exe
924	tmpsetup.exe
924	tmpsetup.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 268	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	28
PID 1208 wrote to memory of 1920	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	29
PID 1208 wrote to memory of 1920	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	29
PID 1208 wrote to memory of 1920	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	29
PID 1208 wrote to memory of 1920	1208	18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe	29
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 876	268	both.exe	30
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31
PID 268 wrote to memory of 924	268	both.exe	31

C:\Users\Admin\AppData\Local\Temp\18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe
"C:\Users\Admin\AppData\Local\Temp\18cf2ec90e51d778b8e375ee652cb1be2641a0277767ae9a06e5814c98e5cac3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\both.exe
  "C:\Users\Admin\AppData\Local\Temp\both.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\setuploader.exe
    "C:\Users\Admin\setuploader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:924
- C:\Users\Admin\AppData\Local\Temp\thsscan.exe
  "C:\Users\Admin\AppData\Local\Temp\thsscan.exe"
  2⤵
  - Executes dropped EXE
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\thsscan.exe

Filesize
517KB

MD5
8c1e53f34d0e6b731ec5c7e2fb18fd74

SHA1
94e98a3eac738466a5e53fb2e57c39666488b5db

SHA256
768ce6276d73ee630bdcd5c230517729b83df4fadf0325ed621525ff9d59535f

SHA512
311bd75bd99c7716503e5bf32233cf28036017a84049b3bb35f1c066718e5d725c16c63908701db4f316ffb1811fa2dcd7d0ce00543ca8c30677f7a85ff39663

Download Submit
C:\Users\Admin\AppData\Local\Temp\thsscan.exe

Filesize
517KB

MD5
8c1e53f34d0e6b731ec5c7e2fb18fd74

SHA1
94e98a3eac738466a5e53fb2e57c39666488b5db

SHA256
768ce6276d73ee630bdcd5c230517729b83df4fadf0325ed621525ff9d59535f

SHA512
311bd75bd99c7716503e5bf32233cf28036017a84049b3bb35f1c066718e5d725c16c63908701db4f316ffb1811fa2dcd7d0ce00543ca8c30677f7a85ff39663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
C:\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
C:\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
\Users\Admin\AppData\Local\Temp\both.exe

Filesize
328KB

MD5
f8370582074f5f85a5fe7a10889ae6bc

SHA1
298ed7f9c9727ba79613220fa06e2b2d716ccf72

SHA256
a4f87af981a5e0037544b03b98a2f58ab63f9c7f7bd137383f0deb4f87eeaa39

SHA512
f0358941be742548e577e0d008bfb0604d7adbfaf74e86c52eb272360446e110163652353cae5bb7669ed685f6e33ec094d545dfef42e1508807fad0631e105f

Download Submit
\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
\Users\Admin\AppData\Local\Temp\tmpsetup.exe

Filesize
68KB

MD5
32591caab14bd50332184c67ca582cd3

SHA1
0e30db94f0e8a486e1bd9fafb4a47b5d14670869

SHA256
fec686af0f201c49cf79666953532b0a816fccbebccbee4f2db80bb5e7270cb0

SHA512
017d622988cd9bb2043d10591b42b3cbd4031d5e2417cfca124454b877c83aae6e1487d7f259ba4f1df06f4edd43d85df21bf679ffaa92f6bccf4b0c7942f6ab

Download Submit
\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
\Users\Admin\setuploader.exe

Filesize
228KB

MD5
0b4fb9750c3cd5d2231f5ea94841d2e7

SHA1
5c69b4f321c1e3844176200466b627b989834373

SHA256
118be76da5b2718fc33437b76ef418c3765e638c5dc1a33020f0eb99c466788d

SHA512
1586f6a26e2fe55c81cb10f0b12a2cda5a04fcb1841d69529d6d4ef5bd9cb0e1d1227efe13b45fac120969af8e5f535bc8cac7e4a0b42e453dc67ccbefdc7c03

Download Submit
memory/268-65-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/876-95-0x0000000073E31000-0x0000000073E33000-memory.dmp

Filesize
8KB

Download
memory/924-94-0x00000000738A1000-0x00000000738A3000-memory.dmp

Filesize
8KB

Download
memory/924-93-0x0000000002B70000-0x000000000362A000-memory.dmp

Filesize
10.7MB

Download
memory/1208-55-0x000007FEF21D0000-0x000007FEF3266000-memory.dmp

Filesize
16.6MB

Download
memory/1208-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1208-59-0x00000000020E6000-0x0000000002105000-memory.dmp

Filesize
124KB

Download
memory/1208-63-0x00000000020E6000-0x0000000002105000-memory.dmp

Filesize
124KB

Download
memory/1208-54-0x000007FEF34B0000-0x000007FEF3ED3000-memory.dmp

Filesize
10.1MB

Download