Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 03:01

General

  • Target

    ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe

  • Size

    146KB

  • MD5

    521666a43aeb19e91e7df9a3f9fe76ba

  • SHA1

    663081e2767df7083f765a3a8a994982959d4cbe

  • SHA256

    ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd

  • SHA512

    cd1414158094328ee2f56a995ee4724604f05c0df5a08f4ae1c653e19cb0158a58ffa2cafc3a2363fc13ef617320979e11bc6281c4c79066a6787c0545c6ec54

  • SSDEEP

    3072:S4PDTrekAooSPxQQvYO3ppr4nwd/T7YfeJFDGfYfaPLmy816SX:SOrNAmPiUprWKTMferDGmaP17SX

Malware Config

Signatures

  • Renames multiple (7822) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
    "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2512
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\ProgramData\LPW5.tmp
        C:\ProgramData\LPW5.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\CYLANCE_README.txt

    Filesize

    1KB

    MD5

    38aa4cc478c9256f32512e2e7ccbd9d2

    SHA1

    f54cc3fa07fea8d745e7c1a84935091f719e49c3

    SHA256

    30a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b

    SHA512

    d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464

  • C:\ProgramData\LPW5.tmp

    Filesize

    5KB

    MD5

    ab65af4349e7c5b0872c8b808d036980

    SHA1

    414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

    SHA256

    a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

    SHA512

    2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679