The submitted file 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583 is a RANSOMWARE
SHA256 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583
File Name 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583
File Type Win32 EXE
Environment Windows10
Analysis Start Time 2023-05-15 07:32:23 (UTC)
Analysis End Time 2023-05-15 07:37:58 (UTC)
Tags
  • Vidar
  • Ransomware
  • .xash
  • Spyware
  • Exe-Downloaded
  • Trojan
  • STOP

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli
  • Malicious
    • Changes The Autorun Value In The Registry
      • 6956 - NSADGI~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Modifying Access Control Lists For Files and Folders
      • 4552 - icacls "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
    • Task Scheduler Executable Triggered
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4184 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6500 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4184 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6500 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Sysmon Process Hollowing Detection
    • Use Icacls to Hide File to Everyone
      • 4552 - icacls "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Suspicious Add Scheduled Task Parent
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4184 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6500 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Schtasks From Env Var Folder
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4184 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6500 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Info
    • Creation of an Executable by an Executable
      • 6956 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 4496 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 4176 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 4816 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 5052 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Creates Files In The User Directory
      • 6956 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 4496 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 4176 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 4816 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 5052 - build3.exe
        • Collection - Data Staged: Local Data Staging
    • Scheduled Task Creation
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4184 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6500 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • 37d82158e3ba555a339295e36b26b5f909427469d2694eb902fb2416c4824583
    • 7048 - [-130785.50s] DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    • 4912 - [-9.02s] Upfc.exe /launchtype periodic /cv JK0lgTuIl0C7R1ZYFD7Grg.0
      • 6408 - [21.33s] sihclient.exe /cv JK0lgTuIl0C7R1ZYFD7Grg.0.2
      • 4868 - [-9.01s] taskhostw.exe $(Arg0)
      • 6164 - [-9.00s] taskhostw.exe Logon
      • 6152 - [-8.99s] usoclient.exe StartScan
      • 6180 - [-8.98s] rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
      • 6192 - [-8.93s] taskhostw.exe None
      • 4104 - [-8.92s] usoclient.exe StartScan
      • 720 - [-8.90s] mstsca.exe
        • 6500 - [-5.54s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
          • 6668 - [-5.47s] conhost.exe 0xffffffff -ForceV1
        • 4808 - [0.0s] nsadgiuubsdeg.exe
          • 6956 - [1.02s] nsadgiuubsdeg.exe
            • 4552 - [2.60s] icacls "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              • 396 - [2.85s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                • 4496 - [3.52s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                  • 5144 - [11.25s] build2.exe
                    • 6212 - [12.16s] build2.exe
                    • 4176 - [12.03s] build3.exe
                      • 6868 - [12.07s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                        • 5176 - [12.08s] conhost.exe 0xffffffff -ForceV1
              • 6924 - [16.68s] ApplicationFrameHost.exe -Embedding
              • 6160 - [18.52s] svchost.exe -k LocalService -p -s BthAvctpSvc
              • 5376 - [21.80s] nsadgiuubsdeg.exe
                • 4368 - [22.42s] nsadgiuubsdeg.exe
                  • 3304 - [23.95s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                    • 4816 - [24.53s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                      • 3332 - [32.02s] build2.exe
                        • 2428 - [32.87s] build2.exe
                        • 5052 - [33.18s] build3.exe
                          • 4184 - [33.20s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                            • 5844 - [33.21s] conhost.exe 0xffffffff -ForceV1
                 DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                 Upfc.exe /launchtype periodic /cv JK0lgTuIl0C7R1ZYFD7Grg.0
                 sihclient.exe /cv JK0lgTuIl0C7R1ZYFD7Grg.0.2
                 taskhostw.exe $(Arg0)
                 taskhostw.exe Logon
                 usoclient.exe StartScan
                 rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
                 taskhostw.exe None
                 mstsca.exe
                 C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                 conhost.exe 0xffffffff -ForceV1
                 nsadgiuubsdeg.exe
                 icacls "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                 nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                 build2.exe
                 build3.exe
                 ApplicationFrameHost.exe -Embedding
                 svchost.exe -k LocalService -p -s BthAvctpSvc
                 C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b\NSADGI~1.EXE
                 C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AXN9OTQX\build2[1].exe
                 C:\Users\Administrator\AppData\Local\aab0f6cb-bf64-46a0-9758-f7b592c4c245\build2.exe
                 C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AXN9OTQX\build3[1].exe
                 C:\Users\Administrator\AppData\Local\aab0f6cb-bf64-46a0-9758-f7b592c4c245\build3.exe
                 C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
                 C:\Users\Administrator\AppData\Local\6c841924-7ee3-4e1f-abfc-c68b6c2a5ea1\build2.exe
                 C:\Users\Administrator\AppData\Local\6c841924-7ee3-4e1f-abfc-c68b6c2a5ea1\build3.exe
                 C:\Windows\Logs\SIH\SIH.20230515.130230.376.1.etl
                 HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
                 HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates
                 HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
                 HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
                 HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
                 HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates
                 HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
                 HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
                Registry Value
                HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper "C:\Users\Administrator\AppData\Local\bd4c113a-6fd7-4e95-ae97-2702862bc30b\NSADGI~1.EXE" --AutoStart
                Type Indicator Reputation
                IP Address 109[.]98[.]58[.]98 Malicious
                IP Address 187[.]212[.]183[.]201 Malicious
                IP Address 190[.]229[.]19[.]7 Malicious
                IP Address 116[.]202[.]1[.]79 Malicious
                IP Address 162[.]0[.]217[.]254 Malicious
                Domain zexeq[.]com Malicious
                Domain colisumy[.]com Malicious
                Domain t[.]me Malicious
                URL hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** Malicious
                URL hxxp://colisumy[.]com/dl/build2[.]exe Malicious
                URL hxxp://zexeq[.]com/files/1/build3[.]exe Malicious
                URL hxxp://116[.]202[.]1[.]79/recent[.]zip Malicious
                Sha256 6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427 Anomalous Activity
                Sha256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 Anomalous Activity
                Method URL IP HTTP Status
                GET hxxp://116[.]202[.]1[.]79/recent[.]zip 116[.]202[.]1[.]79 200
                GET hxxp://colisumy[.]com/dl/build2[.]exe 190[.]229[.]19[.]7 200
                POST hxxp://116[.]202[.]1[.]79/ 116[.]202[.]1[.]79 200
                GET hxxp://zexeq[.]com/files/1/build3[.]exe 109[.]98[.]58[.]98 200
                GET hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** 109[.]98[.]58[.]98 200
                GET hxxp://116[.]202[.]1[.]79/ef32d425b907146eeb9090dbc9455ab1 116[.]202[.]1[.]79 200
                Domain IP
                t[.]me 149[.]154[.]167[.]99
                api[.]2ip[.]ua 162[.]0[.]217[.]254
                zexeq[.]com 109[.]98[.]58[.]98
                187[.]212[.]183[.]201
                colisumy[.]com 190[.]229[.]19[.]7
                r[.]bing[.]com 184[.]84[.]233[.]235
                56[.]126[.]166[.]20[.]in-addr[.]arpa SECNEURX_DNS
                JA3S Domain
                61be9ce3d068c08ff99a857f62352f9d api[.]2ip[.]ua
                098e26e2609212ac1bfac552fbe04127 t[.]me
                c8d5b17a0fd5b4ee799ca8bd692fee69 r[.]bing[.]com
                Sha256 FileType
                ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517 application/zip
                6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427 application/x-dosexec
                2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df text/plain
                8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 application/x-dosexec
                bae26690f6055fd2835ace4e17889612e1a3ec9ec23ebfd5b6d2951deda68e99 text/plain
                700d81b4d0fb4beefdb51236732a1448a824396293587f9ce873a0f8894ba184 text/plain
                Connections IP
                UDP 162[.]159[.]36[.]2
                TCP 184[.]84[.]233[.]235
                149[.]154[.]167[.]99
                162[.]0[.]217[.]254
                109[.]98[.]58[.]98
                116[.]202[.]1[.]79
                190[.]229[.]19[.]7