The submitted file f9c1199f4097dbb42aeef223a98e88e8d1acfb9210bc2795e782abc191d60da5 is a RANSOMWARE

SHA256f9c1199f4097dbb42aeef223a98e88e8d1acfb9210bc2795e782abc191d60da5
File Namef9c1199f4097dbb42aeef223a98e88e8d1acfb9210bc2795e782abc191d60da5
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-05-09 17:06:45 (UTC)
Analysis End Time2023-05-09 17:12:19 (UTC)
Tags
  • Ransomware
  • STOP
  • .gash
  • Exe-Downloaded
  • Trojan
  • Spyware
  • Vidar

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

  • Malicious
    • Changes The Autorun Value In The Registry
      • 6908 - NSADGI~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Loads The Task Scheduler COM API
      • 6908 - NSADGI~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7148 - NSADGI~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5936 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - nsadgiuubsdeg.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4720 - NSADGI~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Executable Triggered
      • 5936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 5936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Use Icacls to Hide File to Everyone
      • 6964 - icacls "C:\Users\Administrator\AppData\Local\9c7ab2be-12da-4e48-afaa-ca63dbd71ca0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Sysmon Process Hollowing Detection
    • Suspicious Schtasks From Env Var Folder
      • 5936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Add Scheduled Task Parent
      • 5936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Info
    • Creates Files In The User Directory
      • 6908 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 7148 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 5868 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 6296 - WINWORD.EXE
        • Collection - Data Staged: Local Data Staging
      • 4720 - NSADGI~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 2448 - build3.exe
        • Collection - Data Staged: Local Data Staging
    • Creation of an Executable by an Executable
      • 6908 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 7148 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 5868 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 4720 - NSADGI~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 2448 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Scheduled Task Creation
      • 5936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6868 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1696 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2276 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • f9c1199f4097dbb42aeef223a98e88e8d1acfb9210bc2795e782abc191d60da5
    • 5748 - [-3.57s] -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
    • 6816 - [0.0s] nsadgiuubsdeg.exe
      • 6908 - [1.04s] nsadgiuubsdeg.exe
        • 6964 - [2.53s] icacls "C:\Users\Administrator\AppData\Local\9c7ab2be-12da-4e48-afaa-ca63dbd71ca0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 6992 - [2.77s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
            • 7148 - [3.62s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
              • 5868 - [8.29s] build3.exe
                • 5936 - [8.32s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 5892 - [8.34s] conhost.exe 0xffffffff -ForceV1
        • 6296 - [5.37s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
        • 788 - [5.42s] NSADGI~1.EXE
          • 1552 - [6.19s] NSADGI~1.EXE
          • 6836 - [11.18s] build3.exe
          • 6888 - [11.56s] mstsca.exe
            • 6868 - [11.73s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
              • 6844 - [11.75s] conhost.exe 0xffffffff -ForceV1
            • 6936 - [12.00s] WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
            • 7096 - [15.38s] WINWORD.EXE /Automation -Embedding
            • 6824 - [16.66s] WINWORD.EXE /Automation -Embedding
            • 1048 - [21.95s] WINWORD.EXE /Automation -Embedding
            • 4640 - [22.22s] nsadgiuubsdeg.exe
              • 4712 - [22.90s] nsadgiuubsdeg.exe
                • 5896 - [24.29s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                  • 4720 - [24.90s] nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
                    • 2448 - [28.35s] build3.exe
                      • 1696 - [28.37s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                        • 5532 - [28.38s] conhost.exe 0xffffffff -ForceV1
              • 1380 - [23.24s] WINWORD.EXE /Automation -Embedding
              • 2132 - [51.43s] mstsca.exe
                • 2276 - [51.45s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 6880 - [51.46s] conhost.exe 0xffffffff -ForceV1
                • 6848 - [100.51s] svchost.exe -k netsvcs -p -s wuauserv
                • 3796 - [100.95s] wmiadap.exe /F /T /R
                • 1568 - [103.59s] SecurityHealthService.exe
                • 7012 - [108.59s] svchost.exe -k LocalService -p -s CDPSvc
               -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
               nsadgiuubsdeg.exe
               icacls "C:\Users\Administrator\AppData\Local\9c7ab2be-12da-4e48-afaa-ca63dbd71ca0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
               nsadgiuubsdeg.exe --Admin IsNotAutoStart IsNotTask
               build3.exe
               C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
               conhost.exe 0xffffffff -ForceV1
               WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
               NSADGI~1.EXE
               mstsca.exe
               WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
               WINWORD.EXE /Automation -Embedding
               svchost.exe -k netsvcs -p -s wuauserv
               wmiadap.exe /F /T /R
               SecurityHealthService.exe
               svchost.exe -k LocalService -p -s CDPSvc
               C:\Users\Administrator\AppData\Local\9c7ab2be-12da-4e48-afaa-ca63dbd71ca0\NSADGI~1.EXE
               C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\get[1].htm
               C:\Users\Administrator\AppData\Local\bowsakkdestx.txt
               C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build3[1].exe
               C:\Users\Administrator\AppData\Local\a4db965c-ff2a-46f5-b653-2d5a7106aa60\build3.exe
               C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
               C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
               C:\Users\Administrator\AppData\Local\8b05d66e-de49-403a-8325-c3f14a5e4c7c\build3.exe
               C:\Windows\System32\perfc009.dat
               C:\Windows\System32\perfh009.dat
               C:\Windows\INF\WmiApRpl\WmiApRpl.h
               C:\Windows\INF\WmiApRpl\WmiApRpl.ini
               C:\Windows\INF\WmiApRpl\0009
               C:\Windows\System32\PerfStringBackup.INI
               HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
              RegistryValue
              HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper"C:\Users\Administrator\AppData\Local\9c7ab2be-12da-4e48-afaa-ca63dbd71ca0\NSADGI~1.EXE" --AutoStart
              HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4024204036-1465485123-3602351515-500\\Device\HarddiskVolume2\Windows\System32\conhost.exeBinary Data
              HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTimeDWORD (0x01ac2aa7)
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000029be)
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000029bf)
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00002918)
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00002919)
              HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List10520 10526 10536 10546 10566 10610 10620 10658 10664 10680
              TypeIndicatorReputation
              IP Address84[.]224[.]34[.]240Malicious
              IP Address211[.]119[.]84[.]112Malicious
              IP Address211[.]59[.]14[.]90Malicious
              IP Address58[.]235[.]189[.]192Malicious
              IP Address95[.]107[.]163[.]44Malicious
              IP Address201[.]103[.]200[.]112Malicious
              IP Address109[.]98[.]58[.]98Malicious
              IP Address190[.]229[.]19[.]7Malicious
              IP Address175[.]119[.]10[.]231Malicious
              IP Address211[.]53[.]230[.]67Malicious
              IP Address37[.]34[.]248[.]24Malicious
              IP Address210[.]182[.]29[.]70Malicious
              IP Address222[.]236[.]49[.]124Malicious
              IP Address123[.]140[.]161[.]243Malicious
              IP Address190[.]140[.]140[.]75Malicious
              IP Address222[.]236[.]49[.]123Malicious
              IP Address183[.]100[.]39[.]157Malicious
              Domainzexeq[.]comMalicious
              Domaincolisumy[.]comMalicious
              URLhxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***Malicious
              URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
              URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
              Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
              MethodURLIPHTTP Status
              GEThxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***84[.]224[.]34[.]240200
              GEThxxp://zexeq[.]com/files/1/build3[.]exe84[.]224[.]34[.]240200
              GEThxxp://colisumy[.]com/dl/build2[.]exe37[.]34[.]248[.]24404
              GEThxxp://www[.]msftconnecttest[.]com/connecttest[.]txt13[.]107[.]4[.]52200
              DomainIP
              colisumy[.]com37[.]34[.]248[.]24
              210[.]182[.]29[.]70
              190[.]229[.]19[.]7
              211[.]59[.]14[.]90
              222[.]236[.]49[.]124
              123[.]140[.]161[.]243
              190[.]140[.]140[.]75
              175[.]119[.]10[.]231
              222[.]236[.]49[.]123
              183[.]100[.]39[.]157
              zexeq[.]com84[.]224[.]34[.]240
              211[.]119[.]84[.]112
              211[.]59[.]14[.]90
              58[.]235[.]189[.]192
              95[.]107[.]163[.]44
              201[.]103[.]200[.]112
              109[.]98[.]58[.]98
              190[.]229[.]19[.]7
              175[.]119[.]10[.]231
              211[.]53[.]230[.]67
              api[.]2ip[.]ua162[.]0[.]217[.]254
              www[.]msftconnecttest[.]com13[.]107[.]4[.]52
              r[.]bing[.]com204[.]79[.]197[.]200
              13[.]107[.]21[.]200
              JA3SDomain
              61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
              Sha256FileType
              d8d2ad3bf7ac898ac658ae85641788321a8c669dad97bfc852d5087d1d55ee84text/plain
              8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
              5e9a7996fe94d7be10595d7133748760bf8348198b71b7a50fd8affaa980ac61text/plain
              ConnectionsIP
              UDP40[.]81[.]94[.]65
              8[.]8[.]4[.]4
              TCP40[.]126[.]13[.]8
              142[.]250[.]195[.]138
              204[.]79[.]197[.]200
              8[.]247[.]49[.]126
              13[.]107[.]4[.]52
              23[.]201[.]221[.]186
              52[.]178[.]17[.]2
              37[.]34[.]248[.]24
              20[.]42[.]65[.]92
              184[.]25[.]241[.]250
              20[.]198[.]213[.]74
              162[.]0[.]217[.]254
              20[.]166[.]126[.]56
              184[.]50[.]18[.]95
              40[.]126[.]32[.]72
              20[.]195[.]114[.]44
              20[.]12[.]23[.]50
              104[.]208[.]16[.]94
              84[.]224[.]34[.]240
              52[.]191[.]219[.]104
              20[.]190[.]146[.]32
              20[.]189[.]173[.]15
              152[.]195[.]38[.]76
              142[.]250[.]195[.]202
              20[.]231[.]121[.]79
              184[.]25[.]242[.]90
              13[.]89[.]178[.]26
              52[.]137[.]106[.]217