9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6

Analysis

max time kernel
155s
max time network
148s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe
Size

735KB
MD5

e5243155594c994fb11727767f6ef2d6
SHA1

07fc154519512c62bfde63f6fa688ba720972063
SHA256

9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6
SHA512

70c8cac4fc6be30aafa00996cdae16fa632601e9b040d5bb80fb8a8512f096f7edf31c3193711b73cfb34a9ad92a63659a27f1006f9a4ce013291e6744d68056

Score

8^/10

link pdf persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Untold Story - Sufferings of Muslims.exeUNTOLD~1.EXEWUApp.exe

pid process

1228 Untold Story - Sufferings of Muslims.exe
1248 UNTOLD~1.EXE
1480 WUApp.exe

pid	process
1228	Untold Story - Sufferings of Muslims.exe
1248	UNTOLD~1.EXE
1480	WUApp.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE	upx

Loads dropped DLL 9 IoCs

Processes:

cmd.exeUntold Story - Sufferings of Muslims.exeUNTOLD~1.EXEWUApp.exe

pid	process
740	cmd.exe
740	cmd.exe
1228	Untold Story - Sufferings of Muslims.exe
1228	Untold Story - Sufferings of Muslims.exe
1228	Untold Story - Sufferings of Muslims.exe
1248	UNTOLD~1.EXE
1228	Untold Story - Sufferings of Muslims.exe
1228	Untold Story - Sufferings of Muslims.exe
1480	WUApp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Untold Story - Sufferings of Muslims.exeWUApp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Untold Story - Sufferings of Muslims.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Untold Story - Sufferings of Muslims.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "c:\\windows\\wuapp.exe"	WUApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\WUApp.exe"	WUApp.exe

Drops file in Windows directory 3 IoCs

Processes:

WUApp.exe

description	ioc	process
File created	\??\c:\windows\asp32.dll	WUApp.exe
File created	\??\c:\windows\wuapp.exe	WUApp.exe
File opened for modification	\??\c:\windows\wuapp.exe	WUApp.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F641.tmp\Untold Story - Sufferings of Muslims.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1536 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1536 AcroRd32.exe
1536 AcroRd32.exe
1536 AcroRd32.exe
1536 AcroRd32.exe

pid	process
1536	AcroRd32.exe

pid	process
1536	AcroRd32.exe
1536	AcroRd32.exe
1536	AcroRd32.exe
1536	AcroRd32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.execmd.exeUntold Story - Sufferings of Muslims.exeUNTOLD~1.EXEcmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 740	1736	9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe	cmd.exe
PID 1736 wrote to memory of 740	1736	9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe	cmd.exe
PID 1736 wrote to memory of 740	1736	9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe	cmd.exe
PID 1736 wrote to memory of 740	1736	9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe	cmd.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 740 wrote to memory of 1228	740	cmd.exe	Untold Story - Sufferings of Muslims.exe
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1228 wrote to memory of 1248	1228	Untold Story - Sufferings of Muslims.exe	UNTOLD~1.EXE
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1248 wrote to memory of 1744	1248	UNTOLD~1.EXE	cmd.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1744 wrote to memory of 1536	1744	cmd.exe	AcroRd32.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe
PID 1228 wrote to memory of 1480	1228	Untold Story - Sufferings of Muslims.exe	WUApp.exe

C:\Users\Admin\AppData\Local\Temp\9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe
"C:\Users\Admin\AppData\Local\Temp\9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E169.tmp\4.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
"Untold Story - Sufferings of Muslims.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F641.tmp\2.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\F641.tmp\Untold Story - Sufferings of Muslims.pdf"
6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E169.tmp\4.bat
MD5
b8afc2c81ccf5a95c05898136843c8f9

SHA1
629911711cacb623d78d63f1361e70d18a9c0c32

SHA256
66d5813abbef023d390504add45a33413d977f370ace4870ff160d626d296d52

SHA512
4af974b04f6415fb9a7786b35edf08c63e53c9565b6fcf55184385560a0cabf4e4aace287a8b46b7d9e4aad9362dcc06f31296ed29e7141165531c1197ac84e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
MD5
ceda36963247ee5b0c19f07491743409

SHA1
8720a400c97d6aaa12285cf624fbde7e1b6f9f9e

SHA256
93e885619434e8006c3274b206337ff924b0f1ff8a60a447283494be00c2e309

SHA512
5da84153183a3fb7f682ce2c949241d7ca6dedfe821008cec2cf5abf7baf27f919ebb364ad924406732e55f432cb32400a82aa215958a3b2713c7cad66a548fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
MD5
ceda36963247ee5b0c19f07491743409

SHA1
8720a400c97d6aaa12285cf624fbde7e1b6f9f9e

SHA256
93e885619434e8006c3274b206337ff924b0f1ff8a60a447283494be00c2e309

SHA512
5da84153183a3fb7f682ce2c949241d7ca6dedfe821008cec2cf5abf7baf27f919ebb364ad924406732e55f432cb32400a82aa215958a3b2713c7cad66a548fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F641.tmp\2.bat
MD5
b5e673c52b3fde84bf42dad9ebb08ccd

SHA1
94316a8b41a55759ae905b337b01369e3c8ec839

SHA256
b1a429e7c9e4c3150522882a66004f97657b7eaf2b8b60ffde2918922530f4c0

SHA512
fa22d37df8738b2a9b0f7b26c5765d8c064e0cccbc21eecf0b965600a3a47e6f7d1225485a0aee608c0f777766368c707dab071787fad878ec2a59b7445626ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\F641.tmp\Untold Story - Sufferings of Muslims.pdf
MD5
5df5cfd9afd8b9a3315acfa1bce65f39

SHA1
b28285f9e2fb67f3f0034d223b7f36a22bedff2c

SHA256
b4591c462f1e5b3cea4fd7d744464ebe0e2370636b82d979cfbe7a1951f508ba

SHA512
d097ab45f6faec4c7f9c68a39bbc8ded076855090618210525533c4ff82118a5e51ea26212d4ba33979c736513fa5dd895669b4f639ad592917a289423e9a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
MD5
3de1b53ba15759bb515319e5da8d0aaa

SHA1
113c30782eb2c0cfe10b9ed88f5ed5c8c34d64b3

SHA256
268131929b4cee90b627ad749b06b29d8d96a55e72863f4aaebc7f232ae9cf34

SHA512
fb73146842d4f7b016f4239d9e7a667f3330a7db03a7d5b663822d5c340bfcc8e4b8e9594766d58e8efd525f9b0de978d0ab2f58a24244a3ddc6446ffce8c9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
MD5
3de1b53ba15759bb515319e5da8d0aaa

SHA1
113c30782eb2c0cfe10b9ed88f5ed5c8c34d64b3

SHA256
268131929b4cee90b627ad749b06b29d8d96a55e72863f4aaebc7f232ae9cf34

SHA512
fb73146842d4f7b016f4239d9e7a667f3330a7db03a7d5b663822d5c340bfcc8e4b8e9594766d58e8efd525f9b0de978d0ab2f58a24244a3ddc6446ffce8c9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
MD5
ce788e585db4d417b92d8bdb345468e5

SHA1
7417cd7071702a999655c6caab37faeb59226388

SHA256
1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010

SHA512
48cd12e6dbbdca14b0e098ff6a8b41d363879f214690d8469cc7665c73f99e779f49f5eb7641162529763ae795c9ae3004f59110415dae1c10f04d696a63ceea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
MD5
ce788e585db4d417b92d8bdb345468e5

SHA1
7417cd7071702a999655c6caab37faeb59226388

SHA256
1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010

SHA512
48cd12e6dbbdca14b0e098ff6a8b41d363879f214690d8469cc7665c73f99e779f49f5eb7641162529763ae795c9ae3004f59110415dae1c10f04d696a63ceea

Download Submit
\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
MD5
ceda36963247ee5b0c19f07491743409

SHA1
8720a400c97d6aaa12285cf624fbde7e1b6f9f9e

SHA256
93e885619434e8006c3274b206337ff924b0f1ff8a60a447283494be00c2e309

SHA512
5da84153183a3fb7f682ce2c949241d7ca6dedfe821008cec2cf5abf7baf27f919ebb364ad924406732e55f432cb32400a82aa215958a3b2713c7cad66a548fd

Download Submit
\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
MD5
ceda36963247ee5b0c19f07491743409

SHA1
8720a400c97d6aaa12285cf624fbde7e1b6f9f9e

SHA256
93e885619434e8006c3274b206337ff924b0f1ff8a60a447283494be00c2e309

SHA512
5da84153183a3fb7f682ce2c949241d7ca6dedfe821008cec2cf5abf7baf27f919ebb364ad924406732e55f432cb32400a82aa215958a3b2713c7cad66a548fd

Download Submit
\Users\Admin\AppData\Local\Temp\E169.tmp\Untold Story - Sufferings of Muslims.exe
MD5
ceda36963247ee5b0c19f07491743409

SHA1
8720a400c97d6aaa12285cf624fbde7e1b6f9f9e

SHA256
93e885619434e8006c3274b206337ff924b0f1ff8a60a447283494be00c2e309

SHA512
5da84153183a3fb7f682ce2c949241d7ca6dedfe821008cec2cf5abf7baf27f919ebb364ad924406732e55f432cb32400a82aa215958a3b2713c7cad66a548fd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
MD5
3de1b53ba15759bb515319e5da8d0aaa

SHA1
113c30782eb2c0cfe10b9ed88f5ed5c8c34d64b3

SHA256
268131929b4cee90b627ad749b06b29d8d96a55e72863f4aaebc7f232ae9cf34

SHA512
fb73146842d4f7b016f4239d9e7a667f3330a7db03a7d5b663822d5c340bfcc8e4b8e9594766d58e8efd525f9b0de978d0ab2f58a24244a3ddc6446ffce8c9c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
MD5
3de1b53ba15759bb515319e5da8d0aaa

SHA1
113c30782eb2c0cfe10b9ed88f5ed5c8c34d64b3

SHA256
268131929b4cee90b627ad749b06b29d8d96a55e72863f4aaebc7f232ae9cf34

SHA512
fb73146842d4f7b016f4239d9e7a667f3330a7db03a7d5b663822d5c340bfcc8e4b8e9594766d58e8efd525f9b0de978d0ab2f58a24244a3ddc6446ffce8c9c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTOLD~1.EXE
MD5
3de1b53ba15759bb515319e5da8d0aaa

SHA1
113c30782eb2c0cfe10b9ed88f5ed5c8c34d64b3

SHA256
268131929b4cee90b627ad749b06b29d8d96a55e72863f4aaebc7f232ae9cf34

SHA512
fb73146842d4f7b016f4239d9e7a667f3330a7db03a7d5b663822d5c340bfcc8e4b8e9594766d58e8efd525f9b0de978d0ab2f58a24244a3ddc6446ffce8c9c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
MD5
ce788e585db4d417b92d8bdb345468e5

SHA1
7417cd7071702a999655c6caab37faeb59226388

SHA256
1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010

SHA512
48cd12e6dbbdca14b0e098ff6a8b41d363879f214690d8469cc7665c73f99e779f49f5eb7641162529763ae795c9ae3004f59110415dae1c10f04d696a63ceea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
MD5
ce788e585db4d417b92d8bdb345468e5

SHA1
7417cd7071702a999655c6caab37faeb59226388

SHA256
1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010

SHA512
48cd12e6dbbdca14b0e098ff6a8b41d363879f214690d8469cc7665c73f99e779f49f5eb7641162529763ae795c9ae3004f59110415dae1c10f04d696a63ceea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WUApp.exe
MD5
ce788e585db4d417b92d8bdb345468e5

SHA1
7417cd7071702a999655c6caab37faeb59226388

SHA256
1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010

SHA512
48cd12e6dbbdca14b0e098ff6a8b41d363879f214690d8469cc7665c73f99e779f49f5eb7641162529763ae795c9ae3004f59110415dae1c10f04d696a63ceea

Download Submit
memory/1736-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download