Overview

overview

10

Static

static

8

04443c70d3...be.exe

windows7_x64

9

04443c70d3...be.exe

windows10_x64

9

05535d72f3...06.exe

windows7_x64

1

05535d72f3...06.exe

windows10_x64

1

1bec139d54...72.exe

windows7_x64

8

1bec139d54...72.exe

windows10_x64

8

1f670ff8cc...55.exe

windows7_x64

1

1f670ff8cc...55.exe

windows10_x64

1

2deaa0ec74...ea.exe

windows7_x64

10

2deaa0ec74...ea.exe

windows10_x64

10

372b929ae9...ef.dll

windows7_x64

9

372b929ae9...ef.dll

windows10_x64

9

38ee6bea62...15.exe

windows7_x64

3

38ee6bea62...15.exe

windows10_x64

3

437d91ce52...8f.exe

windows7_x64

1

437d91ce52...8f.exe

windows10_x64

4

447058c1c6...a8.exe

windows7_x64

9

447058c1c6...a8.exe

windows10_x64

9

5061c0b08d...03.exe

windows7_x64

1

5061c0b08d...03.exe

windows10_x64

1

5ed4b682ef...d4.exe

windows7_x64

8

5ed4b682ef...d4.exe

windows10_x64

8

6970600d21...b5.exe

windows7_x64

1

6970600d21...b5.exe

windows10_x64

1

72f528f9a6...92.exe

windows7_x64

8

72f528f9a6...92.exe

windows10_x64

8

73dcee7abe...99.exe

windows7_x64

1

73dcee7abe...99.exe

windows10_x64

1

7e118b534a...d2.exe

windows7_x64

10

7e118b534a...d2.exe

windows10_x64

10

8034fffb03...3c.exe

windows7_x64

10

8034fffb03...3c.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-03-2021 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe

  • Size

    818KB

  • MD5

    d8e9c7825c9f7c3828ff4a579a965a8a

  • SHA1

    8db1c5dcd2d583a6644f7e7d613837309b0092a5

  • SHA256

    72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592

  • SHA512

    9379b64c348f3b070cdf0a962ccd22f8ff7111fd0bbc7f242feca32cada3cb5ce46b132be1675705983f96e75146051ed2a84d36fe13bc7ac10fe89105a103b3

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe
    "C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-3341490333-719741536-2920803124-1000"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe
        C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrCon.exe /f
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe
          "C:\Users\Admin\AppData\Roaming\WinCtrView\Engin\ProVersion\WinCtrProc.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
            C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrCon.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:904
            • C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe
              "C:\Users\Admin\AppData\Roaming\WinCtrViewer\Engin\ProVersion\WinCtrProc.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              PID:1248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-30-0x0000000073D10000-0x0000000073DA3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1196-11-0x0000000073D10000-0x0000000073DA3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1248-38-0x0000000073D10000-0x0000000073DA3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2148-5-0x0000000073D10000-0x0000000073DA3000-memory.dmp

    Filesize

    588KB

    Download

  • memory/4500-22-0x0000000073D10000-0x0000000073DA3000-memory.dmp

    Filesize

    588KB

    Download