Analysis

  • max time kernel
    19s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 06:03

General

  • Target

    808e34a763acd79d01eeb1f54b18a551.exe

  • Size

    3.5MB

  • MD5

    808e34a763acd79d01eeb1f54b18a551

  • SHA1

    df3f6e0f29d9d65a2afc401ab6938044f24c5506

  • SHA256

    86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

  • SHA512

    9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 5 IoCs
  • Kills process with taskkill 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\808e34a763acd79d01eeb1f54b18a551.exe
    "C:\Users\Admin\AppData\Local\Temp\808e34a763acd79d01eeb1f54b18a551.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\LMPupdate\set\183.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\timeout.exe
          timeout 0
          4⤵
          • Delays execution with timeout.exe
          PID:1776
        • C:\Windows\SysWOW64\PING.EXE
          ping dhgfg sgudy
          4⤵
          • Runs ping.exe
          PID:1772
        • C:\LMPupdate\set\unpakedree.exe
          "unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
          4⤵
          • Executes dropped EXE
          PID:1048
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:772
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\LMPupdate\set\48551.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:688
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\LMPupdate\set"
              6⤵
              • Views/modifies file attributes
              PID:768
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:436
            • C:\LMPupdate\set\xc829374091FD.exe
              xc829374091FD.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1096
              • C:\LMPupdate\set\xc829374091FD.exe
                xc829374091FD.exe /start
                7⤵
                • Executes dropped EXE
                PID:752
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im unpakedree.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1628
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im unpakedree.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:784
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
              6⤵
              • Views/modifies file attributes
              PID:552
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:1952
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LMPupdate\set\183.bat

    MD5

    49d00501554543d18a49c5b93c4528f0

    SHA1

    7a73595e37fda30fb1554b9d8bfe8a855f803d0b

    SHA256

    74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735

    SHA512

    9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6

  • C:\LMPupdate\set\3980392CV.vbs

    MD5

    0c4747ed40d52d992d44951de476c21b

    SHA1

    24cc5271d1a379e0ebdd0814a1148ecd6e7c880a

    SHA256

    3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264

    SHA512

    6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1

  • C:\LMPupdate\set\435246.vbs

    MD5

    f6e0c73782e7a0768006b7be0fc4a1a1

    SHA1

    2a5dea82a47544d00bfa99563fb899a41fa7a1f7

    SHA256

    8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317

    SHA512

    89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703

  • C:\LMPupdate\set\48551.bat

    MD5

    ec8f0f76fe14a110317c3b5c71fce669

    SHA1

    d41207a90b96b124630f3f8ad7f1657cd39a4dd2

    SHA256

    1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614

    SHA512

    9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f

  • C:\LMPupdate\set\unpakedree.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\LMPupdate\set\unpakedree.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\LMPupdate\set\x0329847998

    MD5

    a5a4cc669d306e9b25ae2202e1ccc565

    SHA1

    4e8e841ba4915641f989a061f092f95f9070d164

    SHA256

    3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705

    SHA512

    5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • \LMPupdate\set\unpakedree.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • \LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • \LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • memory/436-83-0x0000000000000000-mapping.dmp

  • memory/552-96-0x0000000000000000-mapping.dmp

  • memory/688-81-0x0000000000000000-mapping.dmp

  • memory/752-89-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/752-90-0x00000000004015C6-mapping.dmp

  • memory/752-94-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/768-82-0x0000000000000000-mapping.dmp

  • memory/772-74-0x0000000000000000-mapping.dmp

  • memory/784-95-0x0000000000000000-mapping.dmp

  • memory/872-78-0x0000000000000000-mapping.dmp

  • memory/1048-71-0x0000000000000000-mapping.dmp

  • memory/1096-87-0x0000000000000000-mapping.dmp

  • memory/1116-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

    Filesize

    8KB

  • memory/1116-60-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1616-77-0x0000000000000000-mapping.dmp

  • memory/1628-93-0x0000000000000000-mapping.dmp

  • memory/1644-65-0x0000000000000000-mapping.dmp

  • memory/1652-61-0x0000000000000000-mapping.dmp

  • memory/1772-68-0x0000000000000000-mapping.dmp

  • memory/1776-67-0x0000000000000000-mapping.dmp

  • memory/1952-97-0x0000000000000000-mapping.dmp