Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
18/12/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
f531ce7ae00aa330d78a225784ed8547.exe
Resource
win7-20221111-en
General
-
Target
f531ce7ae00aa330d78a225784ed8547.exe
-
Size
5.6MB
-
MD5
f531ce7ae00aa330d78a225784ed8547
-
SHA1
d852cddba6d1f2617ebb7dd95d1ad6ab20c64e70
-
SHA256
e017dd97109b67d634e66b76676a1e840612418cfa45ed5bbee319871911f197
-
SHA512
f1ca41143adde44c849dc62718cfa928f1d17924d1885fe812fd38e19cd204702521f20fa5d7a81075839b48638d9c248a4c1c1c9f88822fd7c31043e7f6452e
-
SSDEEP
98304:BafJVPlzBtcmiTb1qbLlGLHVN+AKjhQ5n3Y3LXb6Pkl9zSCFIX+33MLQ:BafrlDGTgbLYzVNCGn3Y7X2Py6y3M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2004 Eewfhetyyyrtfpd.exe -
Loads dropped DLL 2 IoCs
pid Process 1544 f531ce7ae00aa330d78a225784ed8547.exe 1544 f531ce7ae00aa330d78a225784ed8547.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 780 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 50 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet f531ce7ae00aa330d78a225784ed8547.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor f531ce7ae00aa330d78a225784ed8547.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor f531ce7ae00aa330d78a225784ed8547.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status f531ce7ae00aa330d78a225784ed8547.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 780 chrome.exe 780 chrome.exe 704 rundll32.exe 776 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2004 Eewfhetyyyrtfpd.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2004 Eewfhetyyyrtfpd.exe 780 chrome.exe 704 rundll32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2004 Eewfhetyyyrtfpd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 780 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2004 1544 f531ce7ae00aa330d78a225784ed8547.exe 27 PID 1544 wrote to memory of 2004 1544 f531ce7ae00aa330d78a225784ed8547.exe 27 PID 1544 wrote to memory of 2004 1544 f531ce7ae00aa330d78a225784ed8547.exe 27 PID 1544 wrote to memory of 2004 1544 f531ce7ae00aa330d78a225784ed8547.exe 27 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 780 wrote to memory of 1496 780 chrome.exe 29 PID 780 wrote to memory of 1496 780 chrome.exe 29 PID 780 wrote to memory of 1496 780 chrome.exe 29 PID 1544 wrote to memory of 704 1544 f531ce7ae00aa330d78a225784ed8547.exe 30 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 1908 780 chrome.exe 32 PID 780 wrote to memory of 776 780 chrome.exe 31 PID 780 wrote to memory of 776 780 chrome.exe 31 PID 780 wrote to memory of 776 780 chrome.exe 31 PID 780 wrote to memory of 1788 780 chrome.exe 33 PID 780 wrote to memory of 1788 780 chrome.exe 33 PID 780 wrote to memory of 1788 780 chrome.exe 33 PID 780 wrote to memory of 1788 780 chrome.exe 33 PID 780 wrote to memory of 1788 780 chrome.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f531ce7ae00aa330d78a225784ed8547.exe"C:\Users\Admin\AppData\Local\Temp\f531ce7ae00aa330d78a225784ed8547.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7064f50,0x7fef7064f60,0x7fef7064f702⤵PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1212,582095218884802527,994585392748237217,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1212,582095218884802527,994585392748237217,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=932 /prefetch:22⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1212,582095218884802527,994585392748237217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 /prefetch:82⤵PID:1788
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401