93465cd89175bd96c5200942aace1cf2acc9384ff1f028f1e845757ade82361b

Analysis

max time kernel
144s
max time network
31s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f019c781190cefb52a2ddde54379d29d.exe
Size

110KB
MD5

f019c781190cefb52a2ddde54379d29d
SHA1

db345587033eb8a26fd0edd6ee8492faac76ac40
SHA256

93465cd89175bd96c5200942aace1cf2acc9384ff1f028f1e845757ade82361b
SHA512

fd3335a31f5133274039fd5bff4bd89f0bd19c787de79ffc97a7c0f07985f783fd625a5404206b344b3f0ce0656ca6a71e8633e608832fb8dac424cf01075b99
SSDEEP

1536:J5C4c7H718iZJmhKhdoaIkcXTLjfWidbGPECG+1+2PwuLJWj9a53HMGvEXg4:q//18iZMhKhI+ubNLmLq9KHMzg4

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
660	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
268	APIWrapper.exe

Loads dropped DLL 5 IoCs

pid	Process
2008	f019c781190cefb52a2ddde54379d29d.exe
2008	f019c781190cefb52a2ddde54379d29d.exe
2008	f019c781190cefb52a2ddde54379d29d.exe
2008	f019c781190cefb52a2ddde54379d29d.exe
2008	f019c781190cefb52a2ddde54379d29d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\ASB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APIWrapper.exe"	APIWrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1140	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
268	APIWrapper.exe
268	APIWrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	APIWrapper.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 1140	2008	f019c781190cefb52a2ddde54379d29d.exe	28
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 2008 wrote to memory of 268	2008	f019c781190cefb52a2ddde54379d29d.exe	29
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 660	268	APIWrapper.exe	30
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 268 wrote to memory of 1416	268	APIWrapper.exe	32
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34
PID 1416 wrote to memory of 240	1416	net.exe	34

C:\Users\Admin\AppData\Local\Temp\f019c781190cefb52a2ddde54379d29d.exe
"C:\Users\Admin\AppData\Local\Temp\f019c781190cefb52a2ddde54379d29d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NTT_Customer_Notification.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:660
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTT_Customer_Notification.txt

Filesize
919B

MD5
a245be3b944db50a32f5fd7b0073872f

SHA1
b97cf469bbbba82e8e691c36acf20f4fd2765ec3

SHA256
d22ccc3b5bf14f94cfc77e4c7a9aac648452ee0e80f903bf02d1b6e59faacbed

SHA512
2908486e66e574cc05825288dd382dc3e4627c885c889b1e779bebed8d218f5d6488223db9cacfdc7bbb4a094c3c9cab4f7be8cd9bbdce4d5fb18fce210cb345

Download Submit
\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
memory/268-76-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/268-77-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/268-78-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/268-79-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download