b095ef14c5f8a5fdab59b407ae3117a942928b361a2af0a574e3046431f9f907

Resubmissions

07/05/2023, 19:09

230507-xt4dssfe62 3

07/05/2023, 19:04

230507-xq8jcahc8x 3

07/05/2023, 19:01

230507-xpdmkshc71 10

Analysis

max time kernel
147s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empty.jpg
Size

55KB
MD5

f7796b4270e876b8acf653c1632f2626
SHA1

e8fbb0a599801f8698dd4753e390294614bfe833
SHA256

b095ef14c5f8a5fdab59b407ae3117a942928b361a2af0a574e3046431f9f907
SHA512

3cc5ef085f4784d3416cdd94415e02fe4cd6e445eff7c3c85d7daa2d039a5ad2f053cd1960b9c13c818ca67abc77304d2bb0caa6565f0687d788a525945dcb64
SSDEEP

1536:DfJMSeftY5lmSF6KQtsh/tjXCiFyUNien:rotEdFV7fLFxhn

Score

10^/10

evasion ransomware

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Explorer.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1563773381-2037468142-1146002597-500\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Administrator\Contacts\desktop.ini	WinMail.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500\Control Panel\Desktop\Wallpaper = "C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500\Software\Microsoft\Internet Explorer\Desktop\General	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500\Software\Microsoft\Internet Explorer\Desktop	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg"	regsvr32.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-500_CLASSES\Local Settings\MuiCache	Explorer.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	whoami.exe
Token: 33	1308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1308	AUDIODG.EXE
Token: 33	1308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1308	AUDIODG.EXE
Token: SeShutdownPrivilege	1004	LogonUI.exe
Token: SeSecurityPrivilege	656	winlogon.exe
Token: SeBackupPrivilege	656	winlogon.exe
Token: SeSecurityPrivilege	656	winlogon.exe
Token: SeTcbPrivilege	656	winlogon.exe
Token: SeSecurityPrivilege	656	winlogon.exe
Token: SeBackupPrivilege	656	winlogon.exe
Token: SeSecurityPrivilege	656	winlogon.exe
Token: SeManageVolumePrivilege	112	WinMail.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1704	rundll32.exe
1704	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
112	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1136	1632	cmd.exe	33
PID 1632 wrote to memory of 1136	1632	cmd.exe	33
PID 1632 wrote to memory of 1136	1632	cmd.exe	33
PID 2000 wrote to memory of 948	2000	cmd.exe	36
PID 2000 wrote to memory of 948	2000	cmd.exe	36
PID 2000 wrote to memory of 948	2000	cmd.exe	36
PID 948 wrote to memory of 1088	948	net.exe	37
PID 948 wrote to memory of 1088	948	net.exe	37
PID 948 wrote to memory of 1088	948	net.exe	37
PID 2000 wrote to memory of 1612	2000	cmd.exe	38
PID 2000 wrote to memory of 1612	2000	cmd.exe	38
PID 2000 wrote to memory of 1612	2000	cmd.exe	38
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 656 wrote to memory of 1004	656	winlogon.exe	44
PID 656 wrote to memory of 1004	656	winlogon.exe	44
PID 656 wrote to memory of 1004	656	winlogon.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1004	564	csrss.exe	44
PID 564 wrote to memory of 1084	564	csrss.exe	47
PID 564 wrote to memory of 1084	564	csrss.exe	47
PID 656 wrote to memory of 1084	656	winlogon.exe	47
PID 656 wrote to memory of 1084	656	winlogon.exe	47
PID 656 wrote to memory of 1084	656	winlogon.exe	47
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 1084 wrote to memory of 1460	1084	userinit.exe	49
PID 1084 wrote to memory of 1460	1084	userinit.exe	49
PID 1084 wrote to memory of 1460	1084	userinit.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 1460	564	csrss.exe	49
PID 564 wrote to memory of 872	564	csrss.exe	50
PID 564 wrote to memory of 872	564	csrss.exe	50
PID 1460 wrote to memory of 872	1460	Explorer.EXE	50
PID 1460 wrote to memory of 872	1460	Explorer.EXE	50
PID 1460 wrote to memory of 872	1460	Explorer.EXE	50
PID 1460 wrote to memory of 872	1460	Explorer.EXE	50
PID 1460 wrote to memory of 872	1460	Explorer.EXE	50
PID 564 wrote to memory of 872	564	csrss.exe	50
PID 564 wrote to memory of 872	564	csrss.exe	50
PID 564 wrote to memory of 872	564	csrss.exe	50
PID 564 wrote to memory of 804	564	csrss.exe	51
PID 564 wrote to memory of 804	564	csrss.exe	51
PID 656 wrote to memory of 804	656	winlogon.exe	51
PID 656 wrote to memory of 804	656	winlogon.exe	51
PID 656 wrote to memory of 804	656	winlogon.exe	51
PID 564 wrote to memory of 804	564	csrss.exe	51
PID 564 wrote to memory of 804	564	csrss.exe	51
PID 564 wrote to memory of 1276	564	csrss.exe	52
PID 564 wrote to memory of 1276	564	csrss.exe	52
PID 656 wrote to memory of 1276	656	winlogon.exe	52
PID 656 wrote to memory of 1276	656	winlogon.exe	52
PID 656 wrote to memory of 1276	656	winlogon.exe	52

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\empty.jpg
1⤵
- Suspicious use of FindShellTrayWindow
PID:1704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1232

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\net.exe
  net user Administrator /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user Administrator /active:yes
    3⤵
    PID:1088
- C:\Windows\system32\shutdown.exe
  shutdown /l
  2⤵
  PID:1612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\system32\userinit.exe
  C:\Windows\system32\userinit.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies Internet Explorer settings
      PID:872
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Drops desktop.ini file(s)
      PID:1516
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:112
- C:\Windows\system32\sethc.exe
  sethc.exe 211
  2⤵
  PID:804
- C:\Windows\system32\sethc.exe
  sethc.exe 211
  2⤵
  PID:1276
- C:\Windows\system32\sethc.exe
  sethc.exe 211
  2⤵
  PID:1192
- C:\Windows\system32\sethc.exe
  sethc.exe 211
  2⤵
  PID:1556

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
b770ee6b67ddb2af834c6a917bafef21

SHA1
8d7712737feaf48bb518f055f253a648da31a3ec

SHA256
4f6635296cd25300cf3adde819fdd85a4c51db6a84e18aa87c3e4a4062b78b29

SHA512
ff2e916bc6d2cfb55eb57f4a53909d22083f0d16fdd79284cfe060d1118ef3519b748d72e080687e44d55e238736b822ca02903b86e34de656e6b0784106e93a

Download Submit
C:\Users\Administrator\Contacts\Administrator.contact

Filesize
66KB

MD5
3ae993c458513e2bb0d3f4fd7461fe4d

SHA1
123eda900c99b44c3100765327589d7d9f168733

SHA256
5c86dad69d6dd3b291f937e2bf1c144110cc28f1ddee55affdfb182abee04e5b

SHA512
88cf33c3395d020ecd676908d11cd544d876b8857031601a75b9489648fa49979a664a4ce505fc6988a1a50a142104d5c0e07e6be24fca933842b9998c87cf8b

Download Submit
memory/112-81-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download
memory/112-87-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/112-100-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/112-102-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/804-58-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1004-57-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1004-59-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1636-56-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1704-54-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1704-55-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads