Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
Resource
win7-20220812-en
General
-
Target
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
-
Size
5.7MB
-
MD5
216bbaf75caf5bbb9ff3bf4e9c022a36
-
SHA1
f080f91bd0e96ebb28a5da981b4a2876ce9eccea
-
SHA256
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1
-
SHA512
7c5c3670dfc4f84330df9ec382bf7b7ec8e2436d053d75afd25b6328aeddbe886c4d5eb7eb986ef86136171104ee3bb5334eeca0a44edf6d5de78e5296303831
-
SSDEEP
98304:PHbIvLebqBxxiTkNj0iJpZcPhlusOhxH97mVXzk28p/kw9fYSNaHUGaeEyc/UhU:vbIdxGkLvklusOhxd4zk209fYSNPGFcL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1968 Eewfhetyyyrtfpd.exe -
Loads dropped DLL 2 IoCs
pid Process 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1800 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1488 set thread context of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 43 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1560 rundll32.exe 624 chrome.exe 1800 chrome.exe 1800 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 Eewfhetyyyrtfpd.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1968 Eewfhetyyyrtfpd.exe 1560 rundll32.exe 1800 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1968 Eewfhetyyyrtfpd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1800 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1968 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 26 PID 1488 wrote to memory of 1968 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 26 PID 1488 wrote to memory of 1968 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 26 PID 1488 wrote to memory of 1968 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 26 PID 1800 wrote to memory of 616 1800 chrome.exe 28 PID 1800 wrote to memory of 616 1800 chrome.exe 28 PID 1800 wrote to memory of 616 1800 chrome.exe 28 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1488 wrote to memory of 1560 1488 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 29 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 1724 1800 chrome.exe 30 PID 1800 wrote to memory of 624 1800 chrome.exe 31 PID 1800 wrote to memory of 624 1800 chrome.exe 31 PID 1800 wrote to memory of 624 1800 chrome.exe 31 PID 1800 wrote to memory of 956 1800 chrome.exe 32 PID 1800 wrote to memory of 956 1800 chrome.exe 32 PID 1800 wrote to memory of 956 1800 chrome.exe 32 PID 1800 wrote to memory of 956 1800 chrome.exe 32 PID 1800 wrote to memory of 956 1800 chrome.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1968
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb694f50,0x7fefb694f60,0x7fefb694f702⤵PID:616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:22⤵PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:82⤵PID:956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401