Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 06:43
Static task
static1
Behavioral task
behavioral1
Sample
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe
Resource
win10v2004-20230221-en
General
-
Target
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe
-
Size
263KB
-
MD5
3c24e8c069a63db138fe582142baf01b
-
SHA1
bc9a2f3542fe9fef211fe86973e227c3c98bd26b
-
SHA256
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712
-
SHA512
79f740b56ff4f252ede5226e34657c9ad81caf3fde1dde1ad904bea291b82660cc986b76fd15d6035316c2b714df46d3c692ae98a987f0a7041b11c6d6c8aa16
-
SSDEEP
6144:FZuuObR8sVImcyYmDuDOJTv5PWo89GPTT7UuZt9FxhZwp:6V+mzjUOJb5PSyXUuDHqp
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegStart = "C:\\WINDOWS\\system32\\evins.exe" regedit.exe -
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects regedit.exe -
Drops file in System32 directory 9 IoCs
Processes:
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exedescription ioc process File created C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_7100026 b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File created C:\WINDOWS\SysWOW64\remove.reg b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File created C:\WINDOWS\SysWOW64\rs.bat b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File opened for modification C:\WINDOWS\SysWOW64\rs.bat b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File created C:\WINDOWS\SysWOW64\evins.exe b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File opened for modification C:\WINDOWS\SysWOW64\remove.reg b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File created C:\WINDOWS\SysWOW64\rs.REG b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File opened for modification C:\WINDOWS\SysWOW64\rs.REG b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe File opened for modification C:\WINDOWS\SysWOW64\evins.exe b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar regedit.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar regedit.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1260 regedit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.execmd.exedescription pid process target process PID 1560 wrote to memory of 472 1560 b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe cmd.exe PID 1560 wrote to memory of 472 1560 b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe cmd.exe PID 1560 wrote to memory of 472 1560 b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe cmd.exe PID 1560 wrote to memory of 472 1560 b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe cmd.exe PID 472 wrote to memory of 1260 472 cmd.exe regedit.exe PID 472 wrote to memory of 1260 472 cmd.exe regedit.exe PID 472 wrote to memory of 1260 472 cmd.exe regedit.exe PID 472 wrote to memory of 1260 472 cmd.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe"C:\Users\Admin\AppData\Local\Temp\b0cd73895d1b7abd9afde556464733feb46e5da3eaf5bc0b105b4fc15b726712.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\cmd.execmd /c ""C:\WINDOWS\system32\rs.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\regedit.exeregedit /s "C:\WINDOWS\system32\rs.Reg"3⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\SysWOW64\rs.batFilesize
113B
MD5bef89ec5606e83c7025b77b32743726c
SHA15f124a50ae8b3a9e4847a79f774fa09452427cbf
SHA256570b9830189c4c8523dccb502d8b4d305b178b823a064160d4f4e0de27433769
SHA512f14e25198b5ba55a609cdbe041fb0c849e06b0ac290957dcc16a6bd189a83e08f19f4ee4bffa46f7d38e759073a7296fe9aeeb73c3747282997da4737b5aad98
-
C:\Windows\SysWOW64\rs.REGFilesize
980B
MD53598a9065070e99d2429926062a7b436
SHA172ee8c6448c1daf1c0f7a09d5190c97689aeea1b
SHA25626f3b584dad3bbb2f3bce6f7b292fc74d5a644881a936ec985ad1da6d7aa5c0d
SHA5122caf6d16534c9ce6348dde9f803704a0d5fa80ac296d002d7e3a7afaa2e8cc471e02084c50c360e10f06b96216af59544babd2eea09433a03152db0aacd65c41
-
C:\Windows\SysWOW64\rs.batFilesize
113B
MD5bef89ec5606e83c7025b77b32743726c
SHA15f124a50ae8b3a9e4847a79f774fa09452427cbf
SHA256570b9830189c4c8523dccb502d8b4d305b178b823a064160d4f4e0de27433769
SHA512f14e25198b5ba55a609cdbe041fb0c849e06b0ac290957dcc16a6bd189a83e08f19f4ee4bffa46f7d38e759073a7296fe9aeeb73c3747282997da4737b5aad98
-
memory/1560-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB