Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 10:32
Static task
static1
Behavioral task
behavioral1
Sample
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe
Resource
win7-20220812-en
General
-
Target
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe
-
Size
381KB
-
MD5
0957d5d8d21751f2fd1ad2015b19abe0
-
SHA1
c098ddc18a8a0dade35436f968eb43c1f4c9253c
-
SHA256
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
-
SHA512
a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
SSDEEP
6144:3rK18vkksg2P4vWigPJJJPJJJGJJA/+aU4Kau:3rMlM2QvgPJJJPJJJGJJpF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\agigviar\\imwsgijf.exe" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
arunlkloqwsvtqwv.exepid process 1284 arunlkloqwsvtqwv.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imwsgijf.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imwsgijf.exe svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exepid process 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImwSgijf = "C:\\Users\\Admin\\AppData\\Local\\agigviar\\imwsgijf.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
svchost.exepid process 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exesvchost.exesvchost.exearunlkloqwsvtqwv.exedescription pid process Token: SeSecurityPrivilege 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe Token: SeDebugPrivilege 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe Token: SeSecurityPrivilege 1600 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeDebugPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1284 arunlkloqwsvtqwv.exe Token: SeLoadDriverPrivilege 1284 arunlkloqwsvtqwv.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exedescription pid process target process PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1600 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1532 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe svchost.exe PID 2008 wrote to memory of 1284 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe arunlkloqwsvtqwv.exe PID 2008 wrote to memory of 1284 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe arunlkloqwsvtqwv.exe PID 2008 wrote to memory of 1284 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe arunlkloqwsvtqwv.exe PID 2008 wrote to memory of 1284 2008 aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe arunlkloqwsvtqwv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe"C:\Users\Admin\AppData\Local\Temp\aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exe"C:\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
\Users\Admin\AppData\Local\Temp\arunlkloqwsvtqwv.exeFilesize
381KB
MD50957d5d8d21751f2fd1ad2015b19abe0
SHA1c098ddc18a8a0dade35436f968eb43c1f4c9253c
SHA256aed5c7355746817265352226221264d35bf753a44f273912d42629019b7c4b8f
SHA512a7cbde567cd869828c757bd32a6571c401782bbdc54b76c1faa9e9b2509187b81dd85a0db641fa182c04edb598be75009ed02e9f0f196942d9662a8b1ed3e0b6
-
memory/1284-78-0x0000000000000000-mapping.dmp
-
memory/1284-81-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1284-82-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1532-69-0x0000000020010000-0x000000002002C000-memory.dmpFilesize
112KB
-
memory/1532-67-0x0000000000000000-mapping.dmp
-
memory/1532-65-0x0000000020010000-0x000000002002C000-memory.dmpFilesize
112KB
-
memory/1600-59-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/1600-58-0x0000000000000000-mapping.dmp
-
memory/1600-56-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/2008-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2008-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB