Resubmissions
23-02-2023 14:03
230223-rcnzwsga69 1020-01-2023 12:25
230120-plqhzaff6y 1016-01-2023 12:00
230116-n6kyjsad9v 1015-01-2023 04:12
230115-esqr7sdg4v 1015-01-2023 04:01
230115-elc8jahg27 815-01-2023 03:56
230115-ehjk5shf75 815-01-2023 01:02
230115-bebjksbg8w 1015-01-2023 00:38
230115-azcfyafg72 8Analysis
-
max time kernel
192s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2023 00:38
Static task
static1
Behavioral task
behavioral1
Sample
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
Resource
win10v2004-20221111-en
General
-
Target
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
-
Size
1.6MB
-
MD5
9f7aaf3a9a3f325dd533ecc38d85a351
-
SHA1
1ebdc55b96e11d9b924fbba8c5fa1799ff247970
-
SHA256
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd
-
SHA512
0afdcb5362be67938d00baaeb3974af3ad2b7342c8024ec2390ce87bad4c6252e4c8277a0bb36979cdcb4036aa9f7dc93ac23f78acdd04033c3086fa3fd7286f
-
SSDEEP
24576:yWmAFubS9dt9Mcp5CPu4YV5GaCxYiluVuTY4PRVGEw6GPDp5MwNrsJjF2GKGI8L:q29dRpYW4YV5QxYiET8ahPDMwNrs2y
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Engine.exeChampion.exe.pifpid process 1348 Engine.exe 1728 Champion.exe.pif -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe upx C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe upx behavioral2/memory/1348-136-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/1348-154-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral2/memory/1348-162-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Champion.exe.pifdescription pid process target process PID 1728 set thread context of 4480 1728 Champion.exe.pif jsc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 3 IoCs
Processes:
svchost.exesvchost.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{7E7F3B1C-7434-414D-A0F9-37A305C47457} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{9F011E5E-416D-4D12-9B2D-861E5EB80601} svchost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4896 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exeChampion.exe.pifpid process 1572 powershell.exe 1572 powershell.exe 1572 powershell.exe 1572 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2428 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exejsc.exe7zG.exedescription pid process Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 4480 jsc.exe Token: SeRestorePrivilege 1500 7zG.exe Token: 35 1500 7zG.exe Token: SeSecurityPrivilege 1500 7zG.exe Token: SeSecurityPrivilege 1500 7zG.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Champion.exe.pif7zG.exepid process 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif 1500 7zG.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Champion.exe.pifpid process 1728 Champion.exe.pif 1728 Champion.exe.pif 1728 Champion.exe.pif -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 760 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe 2428 OpenWith.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exeEngine.execmd.execmd.exeChampion.exe.pifOpenWith.exedescription pid process target process PID 3808 wrote to memory of 1348 3808 88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe Engine.exe PID 3808 wrote to memory of 1348 3808 88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe Engine.exe PID 3808 wrote to memory of 1348 3808 88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe Engine.exe PID 1348 wrote to memory of 1904 1348 Engine.exe cmd.exe PID 1348 wrote to memory of 1904 1348 Engine.exe cmd.exe PID 1348 wrote to memory of 1904 1348 Engine.exe cmd.exe PID 1904 wrote to memory of 2308 1904 cmd.exe cmd.exe PID 1904 wrote to memory of 2308 1904 cmd.exe cmd.exe PID 1904 wrote to memory of 2308 1904 cmd.exe cmd.exe PID 2308 wrote to memory of 1572 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 1572 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 1572 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 2428 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 2428 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 2428 2308 cmd.exe powershell.exe PID 2308 wrote to memory of 2004 2308 cmd.exe findstr.exe PID 2308 wrote to memory of 2004 2308 cmd.exe findstr.exe PID 2308 wrote to memory of 2004 2308 cmd.exe findstr.exe PID 2308 wrote to memory of 1728 2308 cmd.exe Champion.exe.pif PID 2308 wrote to memory of 1728 2308 cmd.exe Champion.exe.pif PID 2308 wrote to memory of 1728 2308 cmd.exe Champion.exe.pif PID 2308 wrote to memory of 3240 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 3240 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 3240 2308 cmd.exe PING.EXE PID 1728 wrote to memory of 4480 1728 Champion.exe.pif jsc.exe PID 1728 wrote to memory of 4480 1728 Champion.exe.pif jsc.exe PID 1728 wrote to memory of 4480 1728 Champion.exe.pif jsc.exe PID 1728 wrote to memory of 4480 1728 Champion.exe.pif jsc.exe PID 1728 wrote to memory of 4480 1728 Champion.exe.pif jsc.exe PID 2428 wrote to memory of 4896 2428 OpenWith.exe NOTEPAD.EXE PID 2428 wrote to memory of 4896 2428 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe /TH_ID=_2740 /OriginExe="C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd < 43⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ibXEdmiVmigethPmiCeveAlmmdbbRGVlGZgkrkVHBRdIphNCcvDTejGGhntqwKrSktcyZDvWGxUklCdjCVwceeizaHYEiVGRNbvySICSZHhIac$" 455⤵
-
C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pif17473\\Champion.exe.pif 17473\\S5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 185⤵
- Runs ping.exe
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap26217:96:7zEvent31124 -t7z -sae -- "C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7z2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ddc1fd34c017ade33953a0c52c535e9f
SHA18e0d6001a34911b73efc335bb96131ddd42febcc
SHA2567e910fd375bfc3d99435cdfc16da2680768cc28e15fba5a52f64ffa3bb43abda
SHA512a55bf6a7b235893e27a27a4d9f4aef406d53c227fc4fc6d0b98427790ebc195b28044f0aa0a64ab75bc1348918c4a3cd720b5685f291c10a13b49f228d76a638
-
C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7zFilesize
961KB
MD5001b3bc84e3fa8f6ee4d6db14aa55927
SHA1ebf65852f7eda23fa534ec09b6723979a7490496
SHA2569a83a0903128c5ffff229cfdc21a67754b53cecb4e3068e6a2ce4589d5e6c431
SHA512f8ce2dfd2a0353395a5cd154f25797727e65579bc1315c95f37a02c3e231e6e1ac9d5b0978d5fc2a4b857041c9d8debaf8c56341158cd7dce0572dfa9dee578e
-
C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pifFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pifFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00000#4Filesize
12KB
MD54839bb17c0c82a044dbd0072c6c98cb6
SHA13c06dcc178dd8a8e2290b746cfc7e704a537c91f
SHA256a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2
SHA51213d607b989efca3105363a10f481ef02fdcfcd5da4a267da0b87f3f2417456e672337c8e6332e0be286f6401bea203149a1cd23a24a8006f689b32e9d6199b55
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00001#45Filesize
872KB
MD5a3b85111ecdfc29672319893192bb7fd
SHA14ec865fd387eade4cd0b0ad8cabd68cae89ac8d5
SHA256ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367
SHA5120c9e75843ebe962246a0fd2d15e2b90ae71257aac15ee7b1cf12a3fc383a144fef5959c0a81c7d9f55ef6893937b1a9868a7c2546d70045c40810a7b3a0be804
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00002#7Filesize
1.5MB
MD5536073c3748e4eb7bbee303547b7227d
SHA14397b1d855e799f4d38467a848cda2273c1c6c73
SHA2568e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3
SHA5123b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exeFilesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exeFilesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Setup.txtFilesize
2KB
MD5ae90fca8c12f2c43c468fbd0954381f7
SHA1d475bb8f5891ab5f4c7cd2c90847cbfa68758842
SHA256d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720
SHA5126880c7b658b7852bfcd597a57fd6e85f8a218e18d7acc248edc8efb2bea5a61063c4eeb5ae48008cc07408501c1af0eefc6a9010820ba823ab3fe66dae1f9041
-
memory/1348-136-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/1348-132-0x0000000000000000-mapping.dmp
-
memory/1348-154-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/1348-162-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/1572-144-0x0000000002220000-0x0000000002256000-memory.dmpFilesize
216KB
-
memory/1572-149-0x0000000005AF0000-0x0000000005B0E000-memory.dmpFilesize
120KB
-
memory/1572-150-0x0000000006CC0000-0x0000000006D56000-memory.dmpFilesize
600KB
-
memory/1572-151-0x0000000005FC0000-0x0000000005FDA000-memory.dmpFilesize
104KB
-
memory/1572-152-0x0000000006010000-0x0000000006032000-memory.dmpFilesize
136KB
-
memory/1572-153-0x0000000007310000-0x00000000078B4000-memory.dmpFilesize
5.6MB
-
memory/1572-148-0x00000000054E0000-0x0000000005546000-memory.dmpFilesize
408KB
-
memory/1572-147-0x0000000005340000-0x00000000053A6000-memory.dmpFilesize
408KB
-
memory/1572-146-0x00000000052A0000-0x00000000052C2000-memory.dmpFilesize
136KB
-
memory/1572-145-0x0000000004C40000-0x0000000005268000-memory.dmpFilesize
6.2MB
-
memory/1572-143-0x0000000000000000-mapping.dmp
-
memory/1728-159-0x0000000000000000-mapping.dmp
-
memory/1904-141-0x0000000000000000-mapping.dmp
-
memory/2004-158-0x0000000000000000-mapping.dmp
-
memory/2308-142-0x0000000000000000-mapping.dmp
-
memory/2428-155-0x0000000000000000-mapping.dmp
-
memory/3240-161-0x0000000000000000-mapping.dmp
-
memory/4480-163-0x0000000000000000-mapping.dmp
-
memory/4480-164-0x0000000001000000-0x00000000010A6000-memory.dmpFilesize
664KB
-
memory/4480-166-0x0000000005690000-0x0000000005722000-memory.dmpFilesize
584KB
-
memory/4896-169-0x0000000000000000-mapping.dmp