Resubmissions

09-04-2024 13:11

240409-qe3emafg95 10

09-04-2024 13:11

240409-qe2s4afg94 10

09-04-2024 13:10

240409-qegg6aba8y 10

09-04-2024 13:10

240409-qefwmafg75 10

10-07-2021 10:36

210710-89hyhpsaw6 9

Analysis

  • max time kernel
    149s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-07-2021 10:36

General

  • Target

    23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.sample.exe

  • Size

    5.2MB

  • MD5

    0bff2eb7cf8fbbf17ff6594b09101e3b

  • SHA1

    bfa77a5afa5d45aa178edc14361ca2a5825c96f5

  • SHA256

    23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa

  • SHA512

    0861b861e3579ea7867515cea737f811b28bdc689fe24a8e89d1cd9c47d621eb76488a444406d604e0ac860d5f4a8ec73d931828d4281372ad7827af61e73f13

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 14 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 27 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.sample.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\e0c93a5e\tor\javaupdate.exe
      "C:\Users\Admin\AppData\Local\e0c93a5e\tor\javaupdate.exe" -f torrc
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1980-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

    Filesize

    8KB