The submitted file 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583 is a RANSOMWARE |
SHA256 | 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583 |
File Name | 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583 |
File Type | Win32 EXE |
Environment | Windows10 |
Analysis Start Time | 2023-05-15 07:32:23 (UTC) |
Analysis End Time | 2023-05-15 07:37:58 (UTC) | Tags |
|
Static Analysis MALICIOUSNetwork Analysis MALICIOUSDynamic Analysis MALICIOUSFile Analysis NO THREATS |
|
---|
|
|
— DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
— Upfc.exe /launchtype periodic /cv JK0lgTuIl0C7R1ZYFD7Grg.0 |
— sihclient.exe /cv JK0lgTuIl0C7R1ZYFD7Grg.0.2 |
— taskhostw.exe $(Arg0) |
— taskhostw.exe Logon |
— usoclient.exe StartScan |
— rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask |
— taskhostw.exe None |
— mstsca.exe |
— C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe" |
— conhost.exe 0xffffffff -ForceV1 |
— nsadgiuubsdeg.exe |
— icacls "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b" /deny *S-1-1-0:(OI)(CI)(DE,DC) |
— nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask |
— build2.exe |
— build3.exe |
— ApplicationFrameHost.exe -Embedding |
— svchost.exe -k LocalService -p -s BthAvctpSvc |
— C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b\NSADGI~1.EXE |
— C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AXN9OTQX\build2[1].exe |
— C:\Users\Administrator\AppData\Local\aab0f6cb-bf64-46a0-9758-f7b592c4c245\build2.exe |
— C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AXN9OTQX\build3[1].exe |
— C:\Users\Administrator\AppData\Local\aab0f6cb-bf64-46a0-9758-f7b592c4c245\build3.exe |
— C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe |
— C:\Users\Administrator\AppData\Local\6c841924-7ee3-4e1f-abfc-c68b6c2a5ea1\build2.exe |
— C:\Users\Administrator\AppData\Local\6c841924-7ee3-4e1f-abfc-c68b6c2a5ea1\build3.exe |
— C:\Windows\Logs\SIH\SIH.20230515.130230.376.1.etl |
— HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL |
— HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates |
— HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
— HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates |
— HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates |
— HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates |
— HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates |
— HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates |
Registry | Value |
---|---|
HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper | "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b\NSADGI~1.EXE" --AutoStart |
Type | Indicator | Reputation |
---|---|---|
IP Address | 109[.]98[.]58[.]98 | Malicious |
IP Address | 187[.]212[.]183[.]201 | Malicious |
IP Address | 190[.]229[.]19[.]7 | Malicious |
IP Address | 116[.]202[.]1[.]79 | Malicious |
IP Address | 162[.]0[.]217[.]254 | Malicious |
Domain | zexeq[.]com | Malicious |
Domain | colisumy[.]com | Malicious |
Domain | t[.]me | Malicious |
URL | hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** | Malicious |
URL | hxxp://colisumy[.]com/dl/build2[.]exe | Malicious |
URL | hxxp://zexeq[.]com/files/1/build3[.]exe | Malicious |
URL | hxxp://116[.]202[.]1[.]79/recent[.]zip | Malicious |
Sha256 | 6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427 | Anomalous Activity |
Sha256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 | Anomalous Activity |
Method | URL | IP | HTTP Status |
---|---|---|---|
GET | hxxp://116[.]202[.]1[.]79/recent[.]zip | 116[.]202[.]1[.]79 | 200 |
GET | hxxp://colisumy[.]com/dl/build2[.]exe | 190[.]229[.]19[.]7 | 200 |
POST | hxxp://116[.]202[.]1[.]79/ | 116[.]202[.]1[.]79 | 200 |
GET | hxxp://zexeq[.]com/files/1/build3[.]exe | 109[.]98[.]58[.]98 | 200 |
GET | hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** | 109[.]98[.]58[.]98 | 200 |
GET | hxxp://116[.]202[.]1[.]79/ef32d425b907146eeb9090dbc9455ab1 | 116[.]202[.]1[.]79 | 200 |
Domain | IP |
---|---|
t[.]me | 149[.]154[.]167[.]99 |
api[.]2ip[.]ua | 162[.]0[.]217[.]254 |
zexeq[.]com | 109[.]98[.]58[.]98 187[.]212[.]183[.]201 |
colisumy[.]com | 190[.]229[.]19[.]7 |
r[.]bing[.]com | 184[.]84[.]233[.]235 |
56[.]126[.]166[.]20[.]in-addr[.]arpa | SECNEURX_DNS |
JA3S | Domain |
---|---|
61be9ce3d068c08ff99a857f62352f9d | api[.]2ip[.]ua |
098e26e2609212ac1bfac552fbe04127 | t[.]me |
c8d5b17a0fd5b4ee799ca8bd692fee69 | r[.]bing[.]com |
Sha256 | FileType |
---|---|
ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517 | application/zip |
6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427 | application/x-dosexec |
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df | text/plain |
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 | application/x-dosexec |
bae26690f6055fd2835ace4e17889612e1a3ec9ec23ebfd5b6d2951deda68e99 | text/plain |
700d81b4d0fb4beefdb51236732a1448a824396293587f9ce873a0f8894ba184 | text/plain |
Connections | IP |
---|---|
UDP | 162[.]159[.]36[.]2 |
TCP | 184[.]84[.]233[.]235 149[.]154[.]167[.]99 162[.]0[.]217[.]254 109[.]98[.]58[.]98 116[.]202[.]1[.]79 190[.]229[.]19[.]7 |