8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800

Analysis

max time kernel
0s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe
Size

1.1MB
MD5

7d1c7ce6a2f202bb5df3f45c7f62bac3
SHA1

50a9f5b3130b14d5a18b418e9c355586eaecf4fb
SHA256

81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740
SHA512

48b20444b0d72a37ecbed0969e2a9d9be3efc51d75e1283bc755cad10068fb40055430dc1fc4b295aae3d31d71de86d84b4f1c29da8636a3ef0baf014eaf82cd
SSDEEP

24576:RsBH9jqVwCwh/RICu4upRwIzAKXRYVN2uaj7MM1By+hm:uH9jJ9RspRwIDRiJak2By+hm

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2840 schtasks.exe

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

pid	process
2840	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2360	timeout.exe
1324	timeout.exe
1684	timeout.exe
2084	timeout.exe
2944	timeout.exe
1880	timeout.exe
3036	timeout.exe
1924	timeout.exe
2668	timeout.exe
2820	timeout.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2616	tasklist.exe
1752	tasklist.exe
2544	tasklist.exe
776	tasklist.exe
700	tasklist.exe
884	tasklist.exe
2064	tasklist.exe
2676	tasklist.exe
2072	tasklist.exe
608	tasklist.exe
1620	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2204 systeminfo.exe
1660 systeminfo.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1992 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tasklist.exe

pid process

1752 tasklist.exe
1752 tasklist.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 1752 tasklist.exe

pid	process
2204	systeminfo.exe
1660	systeminfo.exe

pid	process
1992	vssadmin.exe

pid	process
1752	tasklist.exe
1752	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1752	tasklist.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1044 wrote to memory of 1968	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 1968	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 1968	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 1968	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1968 wrote to memory of 1752	1968	cmd.exe	tasklist.exe
PID 1968 wrote to memory of 1752	1968	cmd.exe	tasklist.exe
PID 1968 wrote to memory of 1752	1968	cmd.exe	tasklist.exe
PID 1968 wrote to memory of 1752	1968	cmd.exe	tasklist.exe
PID 1968 wrote to memory of 2264	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2264	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2264	1968	cmd.exe	findstr.exe
PID 1968 wrote to memory of 2264	1968	cmd.exe	findstr.exe
PID 1044 wrote to memory of 2848	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2848	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2848	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2848	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2572	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2572	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2572	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2572	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 2572 wrote to memory of 2752	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 2752	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 2752	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 2752	2572	cmd.exe	WScript.exe
PID 1044 wrote to memory of 2056	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2056	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2056	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 1044 wrote to memory of 2056	1044	81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe	cmd.exe
PID 2056 wrote to memory of 2840	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 2840	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 2840	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 2840	2056	cmd.exe	schtasks.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
2⤵
PID:2264

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
2⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe
"C:\Users\Admin\AppData\Local\Temp\81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
2⤵
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
1⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
2⤵
PID:2480

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1880

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2296

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:2072

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:776

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:488

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3036

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2364

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:608

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:780

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1924

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2220

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:700

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:1732

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2084

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:884

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2376

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2944

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2668

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2872

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:2676

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2820

C:\Windows\SysWOW64\find.exe
find /I "81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe"
3⤵
PID:2800

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq 81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740.exe" /fo csv
3⤵
- Enumerates processes with tasklist
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
2⤵
PID:2800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
1⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
1⤵
PID:2556

C:\Windows\SysWOW64\find.exe
find /i "os name"
1⤵
PID:2964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:940

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
1⤵
- Delays execution with timeout.exe
PID:2360

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:1992

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
1⤵
- Gathers system information
PID:2204

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
1⤵
- Enumerates processes with tasklist
PID:2544

C:\Windows\SysWOW64\find.exe
find /i "original"
1⤵
PID:1644

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
1⤵
- Gathers system information
PID:1660

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\h4_svc.bat

Filesize
2KB

MD5
09f8d44c69e9eae827e435cde094de21

SHA1
4840b8ef91578374c17e003ab3eaa6750f9be7d9

SHA256
4359939b1e129a575f53227297b469e519f452803b295f11c466a3be692b5102

SHA512
579f090a25afb16b0201c22786c5e9ad47cfa5bb3f998d2baa96e0aba0081efa71220a994c58accf0d2d6da0cbe4d545a8b41018a59c1e78ead4e7f35c18b405

Download Submit
C:\Users\Admin\AppData\t2_svc.bat

Filesize
138B

MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs

Filesize
686B

MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit