Resubmissions
23-02-2023 13:58
230223-q979csga63 1023-02-2023 13:58
230223-q91vaaga59 330-01-2023 00:58
230130-bbgw7adb9t 1015-01-2023 07:31
230115-jcmg3abg69 1015-01-2023 07:28
230115-jarn1aff51 315-01-2023 01:34
230115-by7fcscb6w 10Analysis
-
max time kernel
502s -
max time network
559s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
15-01-2023 01:34
Static task
static1
Behavioral task
behavioral1
Sample
working_attack.7z
Resource
win7-20221111-es
General
-
Target
working_attack.7z
-
Size
925KB
-
MD5
79c2ac9fb282708c97b2622b1dcf8428
-
SHA1
bbfeb1b3a9379ca5fd894b8c5afa0b95f5eef1b7
-
SHA256
db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
-
SHA512
2334c5568ec148985245936d8301e8677b0d6b9809943f1c705ab80572be150d598525df205b8902f8739322f1faa42eb52087048cf57164311002a8e32d2f5f
-
SSDEEP
24576:y7zYd9xdNsC/TbVTUGTL/g5zXCXPukSSw1hSD6xTBeJw6HXss5:ezY3bWYTUkhhSSuhS0G3s8
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsc.exe -
Executes dropped EXE 1 IoCs
pid Process 4664 45.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 86 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4664 set thread context of 4984 4664 45.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4340 taskkill.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4" 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 45.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 45.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 66003100000000002f5667141000574f524b494e7e3100004e0009000400efbe2f5667142f5668142e000000982e0200000007000000000000000000000000000000449c100077006f0072006b0069006e0067005f00610074007400610063006b00000018000000 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 45.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} 45.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" 45.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff 45.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff 45.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4664 45.exe 4664 45.exe 4664 45.exe 4664 45.exe 4664 45.exe 4664 45.exe 4664 45.exe 4664 45.exe 4984 jsc.exe 4984 jsc.exe 4984 jsc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 3740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3740 AUDIODG.EXE Token: SeRestorePrivilege 2200 7zG.exe Token: 35 2200 7zG.exe Token: SeSecurityPrivilege 2200 7zG.exe Token: SeSecurityPrivilege 2200 7zG.exe Token: SeDebugPrivilege 4984 jsc.exe Token: SeDebugPrivilege 4340 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2200 7zG.exe 4664 45.exe 4664 45.exe 4664 45.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4664 45.exe 4664 45.exe 4664 45.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5108 OpenWith.exe 4664 45.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4664 wrote to memory of 4984 4664 45.exe 105 PID 4664 wrote to memory of 4984 4664 45.exe 105 PID 4664 wrote to memory of 4984 4664 45.exe 105 PID 4664 wrote to memory of 4984 4664 45.exe 105 PID 4664 wrote to memory of 4984 4664 45.exe 105 PID 4984 wrote to memory of 4340 4984 jsc.exe 106 PID 4984 wrote to memory of 4340 4984 jsc.exe 106 PID 4984 wrote to memory of 4340 4984 jsc.exe 106
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\working_attack.7z1⤵
- Modifies registry class
PID:4276
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x330 0x2441⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2588
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\working_attack\" -spe -an -ai#7zMap7305:84:7zEvent155111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2200
-
C:\Users\Admin\Desktop\working_attack\45.exe"C:\Users\Admin\Desktop\working_attack\45.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /im chrome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
1.5MB
MD5536073c3748e4eb7bbee303547b7227d
SHA14397b1d855e799f4d38467a848cda2273c1c6c73
SHA2568e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3
SHA5123b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651