3b3f2716705df84738551d92feacc82c90afedff0bd823053e4e46848d2a3b7f

Analysis

max time kernel
187s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2022 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

867KB
MD5

a451c909421cad8d940d100f2bfc4651
SHA1

97df30202fa0ae5a2366d0bef6ed415bdad3f2a2
SHA256

3b3f2716705df84738551d92feacc82c90afedff0bd823053e4e46848d2a3b7f
SHA512

5a2b8225eb7107fc77f6f6dd350b455de620ee7c4e3eecc65b1fe183bbf8a3d825510f18abca1d5c3a0c1f5d6f7ec8b2cff1e42f8944142c5a6cc70be47d1c0f
SSDEEP

12288:rrF5UskuwSU/FbrrOLyvs6DvFY7y2lmFjtTshX4WeQ0aFUA2UK7gW:rrjxwhGLKsUFUbWOiG5xK79

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IZ9XU497.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	IZ9XU497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mbesp4mfw34210pq43pjutj1v5gn = "C:\\Users\\Admin\\AppData\\Roaming\\is5w2dm1q8t4h8t37q97h051\\mbesp4mfw34210pq43pjutj1v5gn.exe"	IZ9XU497.exe

Executes dropped EXE 3 IoCs

Processes:

mbesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exeCYA61CS8O078U74477R48EO57N3W.exe

pid process

4412 mbesp4mfw34210pq43pjutj1v5gn.exe
2540 IZ9XU497.exe
3164 CYA61CS8O078U74477R48EO57N3W.exe
Loads dropped DLL 3 IoCs

Processes:

mbesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exeCYA61CS8O078U74477R48EO57N3W.exe

pid process

4412 mbesp4mfw34210pq43pjutj1v5gn.exe
2540 IZ9XU497.exe
3164 CYA61CS8O078U74477R48EO57N3W.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

mbesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exeCYA61CS8O078U74477R48EO57N3W.exe

pid	process
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

mbesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exeCYA61CS8O078U74477R48EO57N3W.exe

description	pid	process
Token: SeDebugPrivilege	4412	mbesp4mfw34210pq43pjutj1v5gn.exe
Token: SeDebugPrivilege	2540	IZ9XU497.exe
Token: SeDebugPrivilege	3164	CYA61CS8O078U74477R48EO57N3W.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

mbesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exeCYA61CS8O078U74477R48EO57N3W.exe

pid	process
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
4412	mbesp4mfw34210pq43pjutj1v5gn.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
2540	IZ9XU497.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe
3164	CYA61CS8O078U74477R48EO57N3W.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1.exembesp4mfw34210pq43pjutj1v5gn.exeIZ9XU497.exe

description	pid	process	target process
PID 4124 wrote to memory of 4412	4124	1.exe	mbesp4mfw34210pq43pjutj1v5gn.exe
PID 4124 wrote to memory of 4412	4124	1.exe	mbesp4mfw34210pq43pjutj1v5gn.exe
PID 4124 wrote to memory of 4412	4124	1.exe	mbesp4mfw34210pq43pjutj1v5gn.exe
PID 4412 wrote to memory of 2540	4412	mbesp4mfw34210pq43pjutj1v5gn.exe	IZ9XU497.exe
PID 4412 wrote to memory of 2540	4412	mbesp4mfw34210pq43pjutj1v5gn.exe	IZ9XU497.exe
PID 4412 wrote to memory of 2540	4412	mbesp4mfw34210pq43pjutj1v5gn.exe	IZ9XU497.exe
PID 2540 wrote to memory of 3164	2540	IZ9XU497.exe	CYA61CS8O078U74477R48EO57N3W.exe
PID 2540 wrote to memory of 3164	2540	IZ9XU497.exe	CYA61CS8O078U74477R48EO57N3W.exe
PID 2540 wrote to memory of 3164	2540	IZ9XU497.exe	CYA61CS8O078U74477R48EO57N3W.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.exe
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\493D2C9A1\IZ9XU497.exe
433A5C55736572735C41646D696E5C417070446174615C526F616D696E675C6973357732646D31713874346838743337713937683035315C6D62657370346D6677333432313070713433706A75746A317635676E2E657865
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\493D2C9A1\CYA61CS8O078U74477R48EO57N3W.exe
433A5C55736572735C41646D696E5C417070446174615C526F616D696E675C6973357732646D31713874346838743337713937683035315C6D62657370346D6677333432313070713433706A75746A317635676E2E657865
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\078BFBFF000306D2

Filesize
116B

MD5
a8824f0bfccab8e1b1d842900d265d9b

SHA1
6ac5da93d907ce7e2f73cc46d7200fc0d2503ff4

SHA256
998fcd319497c50c3bd81621f05ee29cb4b5915f7026ba08f4cc172adc5768ba

SHA512
16285b8caa9d9a634ec25a47facb7f9de0ecf771a55121ad1233fd5ce92348193fc91a95e86ec1aa1360ad48dfab631aa2b14b02e2311b49cc6abcc30ac2845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\CYA61CS8O078U74477R48EO57N3W.data

Filesize
246B

MD5
ef4740afed81a1194d995f2d571cde29

SHA1
dec9cc578bcacdbd77c5819ada6389beac1bbbd9

SHA256
62e2b5adefb60d2610e00022aa42614327ef3be7e85dfb337f481b4c63651f3e

SHA512
3a417d1f0929814ae7d5e06bfbe599a2bbe18265eb4c59034ce9202cea0197820eae85bfdffe4da165b0e98fb3218a7f8b8e514797d729c3f5a65cac8d486e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\CYA61CS8O078U74477R48EO57N3W.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\CYA61CS8O078U74477R48EO57N3W.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\IZ9XU497.data

Filesize
158B

MD5
a791cbda0cfb5b7f7245c029fd6dd016

SHA1
e8bdbfd44bddcdd9c5c3b7962c730a317b773a03

SHA256
e073944e92c08d51c618fe4ea1c899ddfaa99e01414edaca89468463bc50eb60

SHA512
2101ac673b5b27b103ebec03edc0ac9c1e1abba719c53ab2132a6ae7d5c992b6d8ed76ba476046b06f47e39d7317a0be0e566423e403ab97d33196a7fbd0aaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\IZ9XU497.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\IZ9XU497.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\493D2C9A1\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\goopdate.dll

Filesize
424KB

MD5
7ac15af25453a3af866795745ab69cd4

SHA1
305bd8a0be224ffb2fbaf321fc26ef04de09b5c7

SHA256
1d0162cf04cd2181874ff9f016b0b6bfca4f4c6557f75a91298b2a761763a99d

SHA512
e79091c0d0a83f08f0eefb093ef3caacf03c8473275fc36ff927cd78b07dbf3402fc7e6ffc7f050d7a2a13c670971507687cb03a274add0d9ed10fd448b2afdb

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.data

Filesize
158B

MD5
a791cbda0cfb5b7f7245c029fd6dd016

SHA1
e8bdbfd44bddcdd9c5c3b7962c730a317b773a03

SHA256
e073944e92c08d51c618fe4ea1c899ddfaa99e01414edaca89468463bc50eb60

SHA512
2101ac673b5b27b103ebec03edc0ac9c1e1abba719c53ab2132a6ae7d5c992b6d8ed76ba476046b06f47e39d7317a0be0e566423e403ab97d33196a7fbd0aaf1

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.data

Filesize
246B

MD5
ef4740afed81a1194d995f2d571cde29

SHA1
dec9cc578bcacdbd77c5819ada6389beac1bbbd9

SHA256
62e2b5adefb60d2610e00022aa42614327ef3be7e85dfb337f481b4c63651f3e

SHA512
3a417d1f0929814ae7d5e06bfbe599a2bbe18265eb4c59034ce9202cea0197820eae85bfdffe4da165b0e98fb3218a7f8b8e514797d729c3f5a65cac8d486e2f

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
C:\Users\Admin\AppData\Roaming\is5w2dm1q8t4h8t37q97h051\mbesp4mfw34210pq43pjutj1v5gn.exe

Filesize
167KB

MD5
54a010c60be10b65eee5506720fccabb

SHA1
18cfa274db7d6567441db036eb2b25b720d58884

SHA256
9a4b728a0b652056cbd312dd917adc08c72c89b6f666472f4e3d59a1b8039d89

SHA512
afb51acc8b684db72d5ee9ad7c340d852322af0862a80976c6830330c9e094bc77e760a5806ba883b437c0d10139aa783c21cd87acd405c453df98422d6b99ae

Download Submit
memory/2540-182-0x0000000003E70000-0x0000000004153000-memory.dmp

Filesize
2.9MB

Download
memory/2540-173-0x0000000004C50000-0x0000000004D3A000-memory.dmp

Filesize
936KB

Download
memory/2540-170-0x0000000004420000-0x0000000004484000-memory.dmp

Filesize
400KB

Download
memory/2540-169-0x0000000004E70000-0x0000000004FDB000-memory.dmp

Filesize
1.4MB

Download
memory/2540-172-0x0000000004B30000-0x0000000004C4B000-memory.dmp

Filesize
1.1MB

Download
memory/2540-167-0x0000000004840000-0x0000000004934000-memory.dmp

Filesize
976KB

Download
memory/2540-154-0x0000000000000000-mapping.dmp

Download
memory/2540-171-0x0000000004840000-0x0000000004934000-memory.dmp

Filesize
976KB

Download
memory/2540-174-0x0000000004E70000-0x0000000004FDB000-memory.dmp

Filesize
1.4MB

Download
memory/2540-175-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/2540-183-0x0000000004E40000-0x0000000004E67000-memory.dmp

Filesize
156KB

Download
memory/2540-165-0x0000000003E70000-0x0000000004153000-memory.dmp

Filesize
2.9MB

Download
memory/2540-160-0x0000000002E80000-0x0000000002F6C000-memory.dmp

Filesize
944KB

Download
memory/2540-184-0x0000000004E41000-0x0000000004E5E000-memory.dmp

Filesize
116KB

Download
memory/2540-162-0x0000000002E80000-0x0000000002F6C000-memory.dmp

Filesize
944KB

Download
memory/2540-163-0x0000000003E70000-0x0000000004153000-memory.dmp

Filesize
2.9MB

Download
memory/3164-179-0x0000000002FC0000-0x00000000030AC000-memory.dmp

Filesize
944KB

Download
memory/3164-181-0x0000000002FC0000-0x00000000030AC000-memory.dmp

Filesize
944KB

Download
memory/3164-195-0x0000000004A70000-0x0000000004AC2000-memory.dmp

Filesize
328KB

Download
memory/3164-191-0x0000000004F20000-0x000000000508B000-memory.dmp

Filesize
1.4MB

Download
memory/3164-194-0x0000000004F20000-0x000000000508B000-memory.dmp

Filesize
1.4MB

Download
memory/3164-193-0x0000000004D00000-0x0000000004DEA000-memory.dmp

Filesize
936KB

Download
memory/3164-192-0x0000000004BE0000-0x0000000004CFB000-memory.dmp

Filesize
1.1MB

Download
memory/3164-190-0x0000000004970000-0x0000000004A64000-memory.dmp

Filesize
976KB

Download
memory/3164-189-0x0000000004560000-0x00000000045C4000-memory.dmp

Filesize
400KB

Download
memory/3164-187-0x0000000004970000-0x0000000004A64000-memory.dmp

Filesize
976KB

Download
memory/3164-186-0x0000000003F90000-0x0000000004273000-memory.dmp

Filesize
2.9MB

Download
memory/3164-185-0x0000000003F90000-0x0000000004273000-memory.dmp

Filesize
2.9MB

Download
memory/3164-176-0x0000000000000000-mapping.dmp

Download
memory/4412-148-0x0000000005050000-0x00000000051BB000-memory.dmp

Filesize
1.4MB

Download
memory/4412-146-0x0000000004D00000-0x0000000004E1B000-memory.dmp

Filesize
1.1MB

Download
memory/4412-132-0x0000000000000000-mapping.dmp

Download
memory/4412-142-0x0000000001070000-0x0000000001164000-memory.dmp

Filesize
976KB

Download
memory/4412-144-0x0000000000DF0000-0x0000000000E54000-memory.dmp

Filesize
400KB

Download
memory/4412-140-0x0000000004530000-0x0000000004813000-memory.dmp

Filesize
2.9MB

Download
memory/4412-139-0x0000000004530000-0x0000000004813000-memory.dmp

Filesize
2.9MB

Download
memory/4412-138-0x0000000002AB0000-0x0000000002B9C000-memory.dmp

Filesize
944KB

Download
memory/4412-145-0x0000000001070000-0x0000000001164000-memory.dmp

Filesize
976KB

Download
memory/4412-143-0x0000000004530000-0x0000000004813000-memory.dmp

Filesize
2.9MB

Download
memory/4412-147-0x0000000004E20000-0x0000000004F0A000-memory.dmp

Filesize
936KB

Download
memory/4412-136-0x0000000002AB0000-0x0000000002B9C000-memory.dmp

Filesize
944KB

Download
memory/4412-159-0x0000000004530000-0x0000000004813000-memory.dmp

Filesize
2.9MB

Download
memory/4412-149-0x00000000011B0000-0x0000000001202000-memory.dmp

Filesize
328KB

Download
memory/4412-150-0x0000000001070000-0x0000000001164000-memory.dmp

Filesize
976KB

Download
memory/4412-151-0x0000000004D00000-0x0000000004E1B000-memory.dmp

Filesize
1.1MB

Download
memory/4412-152-0x0000000004E20000-0x0000000004F0A000-memory.dmp

Filesize
936KB

Download
memory/4412-153-0x0000000005050000-0x00000000051BB000-memory.dmp

Filesize
1.4MB

Download
memory/4412-158-0x0000000002AB0000-0x0000000002B9C000-memory.dmp

Filesize
944KB

Download