62e0c21ed2965043017a40d602cefea1b19cd410fa1cb910528ba076bc973848

Resubmissions

18/09/2023, 23:03

230918-21m3lsdb3v 8

18/09/2023, 23:01

230918-2zhfqsfc79 8

Analysis

max time kernel
9s
max time network
11s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 23:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

o6sa6ka6.exe
Size

156KB
MD5

39cacdf0b3e11aa4cebb0a9cb405f924
SHA1

741e4684c9ef07f8b2a74e428d45250ce51eeec7
SHA256

62e0c21ed2965043017a40d602cefea1b19cd410fa1cb910528ba076bc973848
SHA512

891c0843790a96b4e09b1c2af79007f6d79f56fcbf2794e88673c5ec80c744f30c1c5ea97361d3b0f0a906fd7bde179052841f62488c342000ecce864f9bc51a
SSDEEP

3072:uahKyd2n31U5GWp1icKAArDZz4N9GhbkrNEkB4nEka:uahO0p0yN90QEK

Score

6^/10

persistence ransomware

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	o6sa6ka6.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\sufiaw\\o6sa6ka6.jpg"	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	2176	powershell.exe
Token: SeSecurityPrivilege	2176	powershell.exe
Token: SeTakeOwnershipPrivilege	2176	powershell.exe
Token: SeLoadDriverPrivilege	2176	powershell.exe
Token: SeSystemProfilePrivilege	2176	powershell.exe
Token: SeSystemtimePrivilege	2176	powershell.exe
Token: SeProfSingleProcessPrivilege	2176	powershell.exe
Token: SeIncBasePriorityPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe
Token: SeBackupPrivilege	2176	powershell.exe
Token: SeRestorePrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeSystemEnvironmentPrivilege	2176	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	powershell.exe
Token: SeUndockPrivilege	2176	powershell.exe
Token: SeManageVolumePrivilege	2176	powershell.exe
Token: 33	2176	powershell.exe
Token: 34	2176	powershell.exe
Token: 35	2176	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2176	2184	o6sa6ka6.exe	28
PID 2184 wrote to memory of 2176	2184	o6sa6ka6.exe	28
PID 2184 wrote to memory of 2176	2184	o6sa6ka6.exe	28

C:\Users\Admin\AppData\Local\Temp\o6sa6ka6.exe
"C:\Users\Admin\AppData\Local\Temp\o6sa6ka6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -executionpolicy bypass -file o6sa6ka6.ps1
  2⤵
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o6sa6ka6.ps1

Filesize
755B

MD5
60001552804d6d46125e472a0ce933b2

SHA1
c7e3bbe870ccd97b6707ba53a349e0af0697f1bb

SHA256
d4dd2f0c2a880f6bcaeee5ecb8daa10df65cba722f4f530feaefb77a74a965a3

SHA512
85f45198b9dd5e3fe1a1bf5300750bfff617d1834dd21d9e8faa6d2bce78ce460177c3767b7c593328480faba03d4cd714654e49d1a6097a98affbf7d76c371b

Download Submit
memory/2176-6-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2176-7-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2176-8-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-9-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2176-10-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2176-11-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-12-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2176-15-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2464-16-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2640-14-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads