Overview

overview

8

Static

static

6

772c627fc0...in.exe

windows7_x64

8

772c627fc0...in.exe

windows10_x64

8

Analysis

  • max time kernel
    135s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    30/01/2021, 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe

  • Size

    31.3MB

  • MD5

    fa9649ba7f76190701b2f1ffaaf4d0df

  • SHA1

    dac66a285e89ee98cb84488df21f8c43c4acb5d3

  • SHA256

    772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae

  • SHA512

    9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11

Score
8/10
discoveryevasionransomwareupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 124 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
      C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp" /SL5="$40156,31402076,326656,C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=TCP name="uTorrent" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" enable=yes profile=public
          4⤵
            PID:760
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=UDP name="uTorrent" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" enable=yes profile=public
            4⤵
              PID:1540
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=TCP name="uTorrent (TCP-In)" program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" dir=in action=allow
              4⤵
                PID:1648
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=UDP name="uTorrent (UDP-In)" program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" dir=in action=allow
                4⤵
                  PID:1604
                • C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
                  "C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
                  4⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:612
            • C:\Windows\system32\notepad.exe
              notepad C:\Users\Admin\Desktop\README.VOVALEX.txt
              2⤵
              • Opens file in notepad (likely ransom note)
              • Suspicious use of FindShellTrayWindow
              PID:1992
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
            1⤵
              PID:1028
            • C:\Windows\SysWOW64\DllHost.exe
              C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
              1⤵
                PID:1632
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendSelect.mpeg.vovalex
                1⤵
                • Modifies registry class
                PID:1620
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SelectTrace.sql.vovalex
                1⤵
                  PID:1208
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.VOVALEX.txt
                  1⤵
                  • Opens file in notepad (likely ransom note)
                  PID:1644
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.VOVALEX.txt
                  1⤵
                  • Opens file in notepad (likely ransom note)
                  PID:1920
                • C:\Windows\system32\AUDIODG.EXE
                  C:\Windows\system32\AUDIODG.EXE 0x5b0
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1100

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/612-38-0x00000000003D0000-0x00000000003D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/916-12-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/916-16-0x00000000750A1000-0x00000000750A3000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1716-7-0x0000000000401000-0x0000000000412000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1716-5-0x0000000075C31000-0x0000000075C33000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1908-34-0x000007FEF6AB0000-0x000007FEF6D2A000-memory.dmp

                  Filesize

                  2.5MB

                  Download

                • memory/1992-14-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2028-2-0x0000000000610000-0x0000000000621000-memory.dmp

                  Filesize

                  68KB

                  Download