Overview

overview

8

Static

static

10

F7B9980B83...7C.exe

windows7_x64

8

F7B9980B83...7C.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    30-03-2021 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F7B9980B8346B59F0B012E07F0D2207C.exe

  • Size

    277KB

  • MD5

    f7b9980b8346b59f0b012e07f0d2207c

  • SHA1

    eaf80f0dcaea152d4bd81eeaa3ff8d31330acd01

  • SHA256

    2edc1d26a755fce3c36d97ee664473a24c09f653c38792118db34196cd638d06

  • SHA512

    5c26b7a32039b95c3a58e73e6ba1e0975758937a46fcf8b36dd34651fb2a5e035671ed05a6651139f500a6a0ba95216cc22dafb799a3c1470238266f1eccc497

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\F7B9980B8346B59F0B012E07F0D2207C.exe
        "C:\Users\Admin\AppData\Local\Temp\F7B9980B8346B59F0B012E07F0D2207C.exe"
        2⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1748
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1756
            • C:\Windows\SysWOW64\cscript.exe
              "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Roaming\Adminv3.4.2.2.vbs"
              4⤵
                PID:1144

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          MD5

          be57dc706c5d70a6726fd7bc290cbb7e

          SHA1

          ee4dc76d1866fb8d7c2ad24f75ad3051482b1aa8

          SHA256

          6fd5074779c3d225c7504ab429567404a33e240eb95138fc3def2d60dfd50bdd

          SHA512

          a73b6d716d13050da4fc6039408b64468ba8b126da32140d8a24733824d6a3e7f85ed81900a9203ffd5efc9aa7d6e1d6c8ef541242e53968fd5c982b2db87c5e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adminv3.4.2.2.txt
          MD5

          81051bcc2cf1bedf378224b0a93e2877

          SHA1

          ba8ab5a0280b953aa97435ff8946cbcbb2755a27

          SHA256

          7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

          SHA512

          1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adminv3.4.2.2.vbs
          MD5

          f95b76fb6ef3dcc537e273f1578c020c

          SHA1

          c8efa8e0c2b07ae73af4d999f40efb1671856f65

          SHA256

          cf04e89dd5c5ee3e0167bd8cd2eb74247848b0b235e3312dc5b82287dbb4f114

          SHA512

          79d7fc45d5f43d476da27eba5f48b8c36abce7cf0b98059aee3c899e70b7802652646e8b5b5096525b4ae47553ea672e4f3a2439c139b68dcc8eaed4aaa32063

          Download Submit

        • memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1144-54-0x0000000000000000-mapping.dmp

          Download

        • memory/1144-57-0x0000000002800000-0x0000000002804000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1756-4-0x0000000000000000-mapping.dmp

          Download

        • memory/1756-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1756-5-0x00000000000E0000-0x00000000000E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1756-7-0x00000000749B1000-0x00000000749B3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1756-53-0x00000000104F0000-0x0000000010560000-memory.dmp

          Filesize

          448KB

          Download