Analysis
-
max time kernel
83s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 13:22
Behavioral task
behavioral1
Sample
TwentyApp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TwentyApp.exe
Resource
win10v2004-20230220-en
General
-
Target
TwentyApp.exe
-
Size
3.3MB
-
MD5
5e2b1df5effbe5123eeff6752af2ca59
-
SHA1
2e1597b42c40155aa4f56ed708ea4aeb2a5d8698
-
SHA256
cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37
-
SHA512
e1ce42dbea6940dbf883ba32f4e934dce2803606a3109369ddfc9cf47e89d82f4f6fcb1854a0745a0e4cb0ad1e095627f35c03a06fa5f42693638039b58698c2
-
SSDEEP
98304:mZgO4UAJkCxZt3e0Y6qRlp5CNMqMDstLS7cqjAny:mZg3JlB3gXRlpkMqUM6cqjo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TwentyApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TwentyApp.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TwentyApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TwentyApp.exe -
Processes:
resource yara_rule behavioral1/memory/1388-57-0x00000000001C0000-0x0000000000A86000-memory.dmp themida behavioral1/memory/1388-58-0x00000000001C0000-0x0000000000A86000-memory.dmp themida behavioral1/memory/1388-90-0x00000000001C0000-0x0000000000A86000-memory.dmp themida -
Processes:
TwentyApp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TwentyApp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
TwentyApp.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde TwentyApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 TwentyApp.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1916 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 648 powershell.exe 552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
TwentyApp.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1388 TwentyApp.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeShutdownPrivilege 1900 powercfg.exe Token: SeShutdownPrivilege 2000 powercfg.exe Token: SeShutdownPrivilege 1568 powercfg.exe Token: SeShutdownPrivilege 2020 powercfg.exe Token: SeShutdownPrivilege 1792 powercfg.exe Token: SeShutdownPrivilege 1092 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
TwentyApp.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1388 wrote to memory of 1772 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 1772 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 1772 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 1772 1388 TwentyApp.exe cmd.exe PID 1772 wrote to memory of 648 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 648 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 648 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 648 1772 cmd.exe powershell.exe PID 1388 wrote to memory of 944 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 944 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 944 1388 TwentyApp.exe cmd.exe PID 1388 wrote to memory of 944 1388 TwentyApp.exe cmd.exe PID 944 wrote to memory of 552 944 cmd.exe powershell.exe PID 944 wrote to memory of 552 944 cmd.exe powershell.exe PID 944 wrote to memory of 552 944 cmd.exe powershell.exe PID 944 wrote to memory of 552 944 cmd.exe powershell.exe PID 944 wrote to memory of 1816 944 cmd.exe cmd.exe PID 944 wrote to memory of 1816 944 cmd.exe cmd.exe PID 944 wrote to memory of 1816 944 cmd.exe cmd.exe PID 944 wrote to memory of 1816 944 cmd.exe cmd.exe PID 1816 wrote to memory of 1900 1816 cmd.exe powercfg.exe PID 1816 wrote to memory of 1900 1816 cmd.exe powercfg.exe PID 1816 wrote to memory of 1900 1816 cmd.exe powercfg.exe PID 1816 wrote to memory of 1900 1816 cmd.exe powercfg.exe PID 944 wrote to memory of 1712 944 cmd.exe cmd.exe PID 944 wrote to memory of 1712 944 cmd.exe cmd.exe PID 944 wrote to memory of 1712 944 cmd.exe cmd.exe PID 944 wrote to memory of 1712 944 cmd.exe cmd.exe PID 1712 wrote to memory of 1756 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1756 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1756 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1756 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1908 1712 cmd.exe findstr.exe PID 1712 wrote to memory of 1908 1712 cmd.exe findstr.exe PID 1712 wrote to memory of 1908 1712 cmd.exe findstr.exe PID 1712 wrote to memory of 1908 1712 cmd.exe findstr.exe PID 944 wrote to memory of 2000 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2000 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2000 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2000 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1612 944 cmd.exe cmd.exe PID 944 wrote to memory of 1612 944 cmd.exe cmd.exe PID 944 wrote to memory of 1612 944 cmd.exe cmd.exe PID 944 wrote to memory of 1612 944 cmd.exe cmd.exe PID 1612 wrote to memory of 1568 1612 cmd.exe powercfg.exe PID 1612 wrote to memory of 1568 1612 cmd.exe powercfg.exe PID 1612 wrote to memory of 1568 1612 cmd.exe powercfg.exe PID 1612 wrote to memory of 1568 1612 cmd.exe powercfg.exe PID 944 wrote to memory of 2020 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2020 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2020 944 cmd.exe powercfg.exe PID 944 wrote to memory of 2020 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1792 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1792 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1792 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1792 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1092 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1092 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1092 944 cmd.exe powercfg.exe PID 944 wrote to memory of 1092 944 cmd.exe powercfg.exe PID 1388 wrote to memory of 1916 1388 TwentyApp.exe NOTEPAD.EXE PID 1388 wrote to memory of 1916 1388 TwentyApp.exe NOTEPAD.EXE PID 1388 wrote to memory of 1916 1388 TwentyApp.exe NOTEPAD.EXE PID 1388 wrote to memory of 1916 1388 TwentyApp.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1012060155208282172/1075934313662644224/BitsumHighestPerformance.pow' -OutFile 'C:\Users\Admin\AppData\Local\Temp\powerplan.pow'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo | findstr /C:"GUID:"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"GUID:"4⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg setactive =3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powercfg /l3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg /l4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gracias.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gracias.txtFilesize
197B
MD5f09d5847eccbfdd8a2a04df5ce0470aa
SHA1e59cb73b953f47ecf57551e640d5a10db5e244b9
SHA25666bdeebf85948d9e558a4a28d91bd9fc5a8d146a3f9ec17f913955788db2e61b
SHA5124165aa01640d5660d3def9b287bfde30a534341c217d5b8adb754bb2e10ee017ae14fbb73e5e43025dde987ad18cf4b893529d279be0820be759d70c8fe3407f
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
898B
MD5f2976acd4e0dfcbff62b3994ad0182a6
SHA14b0f299d9e000a8629d7b4089f3460ef7458bbc0
SHA256b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2
SHA512b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126
-
C:\Users\Admin\AppData\Local\Temp\tempFile.batFilesize
898B
MD5f2976acd4e0dfcbff62b3994ad0182a6
SHA14b0f299d9e000a8629d7b4089f3460ef7458bbc0
SHA256b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2
SHA512b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4BT37GG89ABXJOTX39DQ.tempFilesize
7KB
MD531ed514d26db9d44b35ddbfa2b2b580f
SHA110469b62f56c313c074f1fe3889ac8914327040c
SHA25690dc127f2969433bea0ac57e0fbe835e47cc397f37bcbf36cfa3cee8ec6dfbb8
SHA5123ca4de31fbe66a899e45d696394852aaf0888a7bc16617fbfa12917de0e2ff85dabe07fa0cc0202fb0673c65f582b2595b4875a64c0edf7923ad58af53cfb716
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD531ed514d26db9d44b35ddbfa2b2b580f
SHA110469b62f56c313c074f1fe3889ac8914327040c
SHA25690dc127f2969433bea0ac57e0fbe835e47cc397f37bcbf36cfa3cee8ec6dfbb8
SHA5123ca4de31fbe66a899e45d696394852aaf0888a7bc16617fbfa12917de0e2ff85dabe07fa0cc0202fb0673c65f582b2595b4875a64c0edf7923ad58af53cfb716
-
memory/648-69-0x0000000002690000-0x00000000026D0000-memory.dmpFilesize
256KB
-
memory/1388-57-0x00000000001C0000-0x0000000000A86000-memory.dmpFilesize
8.8MB
-
memory/1388-58-0x00000000001C0000-0x0000000000A86000-memory.dmpFilesize
8.8MB
-
memory/1388-59-0x0000000005170000-0x00000000051B0000-memory.dmpFilesize
256KB
-
memory/1388-60-0x0000000005170000-0x00000000051B0000-memory.dmpFilesize
256KB
-
memory/1388-62-0x00000000001C0000-0x0000000000A86000-memory.dmpFilesize
8.8MB
-
memory/1388-90-0x00000000001C0000-0x0000000000A86000-memory.dmpFilesize
8.8MB