Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 14:15
Static task
static1
Behavioral task
behavioral1
Sample
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
Resource
win10v2004-20220812-en
General
-
Target
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
-
Size
3.0MB
-
MD5
1f940e2f51ca26ed781279ef62c15ed6
-
SHA1
0128493a43ce13652709628437f7142abe60b16b
-
SHA256
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78
-
SHA512
3850bf301d8b925e9fb6c687c552af6d1e81931a9b2a365da0c701fae604457ef9dd287c5648c825e4e2fb522a0f280484c8ff5af745c446a82eaa360ae0f690
-
SSDEEP
49152:bXz+O50P0qdjy98BXzqPmb07DWkUdbnMxPucadyh5yLAd2TJwWpCRJltFhjW78Qx:bXz+UQxxyqBj4JDWkURi2caobCwWATir
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvchost.exeupdate_elf.exeupdate_elf.exepid process 996 svchost.exe 1480 svchost.exe 832 update_elf.exe 1724 update_elf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
update_elf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate update_elf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update_elf.exe -
Drops startup file 1 IoCs
Processes:
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\íå ðàññòðàèâàéñÿ.txt 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe -
Loads dropped DLL 3 IoCs
Processes:
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exeupdate_elf.exepid process 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe 832 update_elf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exedescription ioc process File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe File opened for modification C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 16 IoCs
Processes:
update_elf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32 update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\Class = "Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass" update_elf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4} update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\RuntimeVersion = "v2.0.50727" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ = "Outlook Today's Data-binding control" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ProgID\ = "DataCtl.DataCtl.1" update_elf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0 update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLCTL.DLL" update_elf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ProgID update_elf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\VersionIndependentProgID update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\VersionIndependentProgID\ = "DataCtl.DataCtl" update_elf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\ThreadingModel = "Apartment" update_elf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
update_elf.exedescription pid process Token: 33 1724 update_elf.exe Token: SeIncBasePriorityPrivilege 1724 update_elf.exe Token: 33 1724 update_elf.exe Token: SeIncBasePriorityPrivilege 1724 update_elf.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exesvchost.exeupdate_elf.exedescription pid process target process PID 1632 wrote to memory of 996 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe svchost.exe PID 1632 wrote to memory of 996 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe svchost.exe PID 1632 wrote to memory of 996 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe svchost.exe PID 1632 wrote to memory of 996 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe svchost.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 1632 wrote to memory of 832 1632 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 996 wrote to memory of 1480 996 svchost.exe svchost.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe PID 832 wrote to memory of 1724 832 update_elf.exe update_elf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe"C:\Users\Admin\AppData\Local\Temp\9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exeFilesize
2.2MB
MD5f3822f3fdb660560c329de615a934d91
SHA119c41447d19ffaf4642838ab54c562c7519020cf
SHA25600bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd
SHA512a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exeFilesize
2.2MB
MD5f3822f3fdb660560c329de615a934d91
SHA119c41447d19ffaf4642838ab54c562c7519020cf
SHA25600bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd
SHA512a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exeFilesize
1.8MB
MD5b389dbde8adc6b322ace14563fb1df65
SHA140a571cd08005336290165d8c90a9fa020bb8ba5
SHA256b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7
SHA512d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exeFilesize
1.8MB
MD5b389dbde8adc6b322ace14563fb1df65
SHA140a571cd08005336290165d8c90a9fa020bb8ba5
SHA256b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7
SHA512d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600
-
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exeFilesize
1.8MB
MD5b389dbde8adc6b322ace14563fb1df65
SHA140a571cd08005336290165d8c90a9fa020bb8ba5
SHA256b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7
SHA512d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600
-
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exeFilesize
2.2MB
MD5f3822f3fdb660560c329de615a934d91
SHA119c41447d19ffaf4642838ab54c562c7519020cf
SHA25600bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd
SHA512a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1
-
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exeFilesize
1.8MB
MD5b389dbde8adc6b322ace14563fb1df65
SHA140a571cd08005336290165d8c90a9fa020bb8ba5
SHA256b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7
SHA512d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600
-
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exeFilesize
1.8MB
MD5b389dbde8adc6b322ace14563fb1df65
SHA140a571cd08005336290165d8c90a9fa020bb8ba5
SHA256b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7
SHA512d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600
-
memory/832-95-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/832-63-0x0000000000000000-mapping.dmp
-
memory/832-86-0x0000000002650000-0x000000000289A000-memory.dmpFilesize
2.3MB
-
memory/832-72-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/996-99-0x0000000000400000-0x00000000006CA000-memory.dmpFilesize
2.8MB
-
memory/996-67-0x0000000000400000-0x00000000006CA000-memory.dmpFilesize
2.8MB
-
memory/996-56-0x0000000000000000-mapping.dmp
-
memory/1480-97-0x0000000000400000-0x00000000006CA000-memory.dmpFilesize
2.8MB
-
memory/1480-71-0x00000000024B0000-0x00000000026B4000-memory.dmpFilesize
2.0MB
-
memory/1480-59-0x0000000000000000-mapping.dmp
-
memory/1480-70-0x0000000000400000-0x00000000006CA000-memory.dmpFilesize
2.8MB
-
memory/1632-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/1632-66-0x0000000003410000-0x00000000036DA000-memory.dmpFilesize
2.8MB
-
memory/1632-98-0x0000000003410000-0x00000000036DA000-memory.dmpFilesize
2.8MB
-
memory/1724-89-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1724-69-0x0000000000000000-mapping.dmp
-
memory/1724-90-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1724-91-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1724-92-0x000000000040E000-0x000000000040F000-memory.dmpFilesize
4KB
-
memory/1724-93-0x00000000027F0000-0x00000000029F4000-memory.dmpFilesize
2.0MB
-
memory/1724-94-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1724-77-0x0000000000519000-0x000000000051A000-memory.dmpFilesize
4KB
-
memory/1724-96-0x00000000027F0000-0x00000000029F4000-memory.dmpFilesize
2.0MB
-
memory/1724-88-0x00000000027F0000-0x00000000029F4000-memory.dmpFilesize
2.0MB
-
memory/1724-87-0x0000000000400000-0x000000000064A000-memory.dmpFilesize
2.3MB
-
memory/1724-79-0x00000000027F0000-0x00000000029F4000-memory.dmpFilesize
2.0MB