2cbf662624a1fb42e30e205eec056e5e16ff5dd849edda920b4bf736a7429f73

Analysis

max time kernel
21s
max time network
39s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:53

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0f24b3ba52873b578f7e5ef0e1995a93.exe
Size

56KB
MD5

0f24b3ba52873b578f7e5ef0e1995a93
SHA1

1c24e7f3f1d68dd2bff6a2175b6b307956eba174
SHA256

2cbf662624a1fb42e30e205eec056e5e16ff5dd849edda920b4bf736a7429f73
SHA512

ea36e47ebf15d7f442b3460d0e181c45074452d188c745d1d063aa777880c1339917b2729f0488afda7dfbc19b00810778e75933409d6ca42145132d1ab54390
SSDEEP

768:dzU/+5AAFlFXE5OvifISi4fsaiK/0DHusiJolg0exI8ozQBsYrtk26J+91YJmcUr:dkA1cZfIpv7OB2OoukArcRxpQed

Score

8^/10

evasion upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2308	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	C59F4582730F50FB66C1.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1484-3-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2656-18-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2308	svchost.exe
Token: SeBackupPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2880	vssvc.exe
Token: SeAuditPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeRestorePrivilege	2568	DrvInst.exe
Token: SeLoadDriverPrivilege	2568	DrvInst.exe
Token: SeLoadDriverPrivilege	2568	DrvInst.exe
Token: SeLoadDriverPrivilege	2568	DrvInst.exe
Token: SeShutdownPrivilege	3000	shutdown.exe
Token: SeRemoteShutdownPrivilege	3000	shutdown.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2308	1484	0f24b3ba52873b578f7e5ef0e1995a93.exe	28
PID 1484 wrote to memory of 2308	1484	0f24b3ba52873b578f7e5ef0e1995a93.exe	28
PID 1484 wrote to memory of 2308	1484	0f24b3ba52873b578f7e5ef0e1995a93.exe	28
PID 1484 wrote to memory of 2308	1484	0f24b3ba52873b578f7e5ef0e1995a93.exe	28
PID 1484 wrote to memory of 2308	1484	0f24b3ba52873b578f7e5ef0e1995a93.exe	28
PID 2308 wrote to memory of 1108	2308	svchost.exe	29
PID 2308 wrote to memory of 1108	2308	svchost.exe	29
PID 2308 wrote to memory of 1108	2308	svchost.exe	29
PID 2308 wrote to memory of 1108	2308	svchost.exe	29
PID 2308 wrote to memory of 3000	2308	svchost.exe	37
PID 2308 wrote to memory of 3000	2308	svchost.exe	37
PID 2308 wrote to memory of 3000	2308	svchost.exe	37
PID 2308 wrote to memory of 3000	2308	svchost.exe	37
PID 2308 wrote to memory of 2656	2308	svchost.exe	36
PID 2308 wrote to memory of 2656	2308	svchost.exe	36
PID 2308 wrote to memory of 2656	2308	svchost.exe	36
PID 2308 wrote to memory of 2656	2308	svchost.exe	36
PID 2656 wrote to memory of 312	2656	C59F4582730F50FB66C1.exe	39
PID 2656 wrote to memory of 312	2656	C59F4582730F50FB66C1.exe	39
PID 2656 wrote to memory of 312	2656	C59F4582730F50FB66C1.exe	39
PID 2656 wrote to memory of 312	2656	C59F4582730F50FB66C1.exe	39
PID 2656 wrote to memory of 312	2656	C59F4582730F50FB66C1.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f24b3ba52873b578f7e5ef0e1995a93.exe
"C:\Users\Admin\AppData\Local\Temp\0f24b3ba52873b578f7e5ef0e1995a93.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Disables RegEdit via registry modification
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
    3⤵
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\C59F4582730F50FB66C1.exe
    C:\Users\Admin\AppData\Local\Temp\C59F4582730F50FB66C1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:312
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown.exe -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000570" "000000000000039C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C59F4582730F50FB66C1.exe

Filesize
56KB

MD5
0f24b3ba52873b578f7e5ef0e1995a93

SHA1
1c24e7f3f1d68dd2bff6a2175b6b307956eba174

SHA256
2cbf662624a1fb42e30e205eec056e5e16ff5dd849edda920b4bf736a7429f73

SHA512
ea36e47ebf15d7f442b3460d0e181c45074452d188c745d1d063aa777880c1339917b2729f0488afda7dfbc19b00810778e75933409d6ca42145132d1ab54390

Download Submit
memory/312-17-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/312-25-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/312-22-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/1484-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1484-2-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1484-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1484-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-28-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1620-24-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2308-4-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2308-20-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2308-13-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/2308-5-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Filesize
56KB

Download
memory/2656-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-15-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2656-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download