Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 13:25

General

  • Target

    53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe

  • Size

    444KB

  • MD5

    7ab6b6832ada10a6e0dfb8711e873179

  • SHA1

    8839d370bf9bd62bd3879fbbd946cf5e2367a814

  • SHA256

    53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215

  • SHA512

    b647afd0f90638ed91c2dd4fdbd32659ec4da7f352230ed802fbe88e7a6b8d3b97737dffcdd30169590253786197e4071232338834de4b5f2c95d286557f6051

  • SSDEEP

    6144:5ZunObR8sVImcyYC5JEY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPf:WK+mz1NE/Ds3fM20lHmYWwH3zuxPf

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe
    "C:\Users\Admin\AppData\Local\Temp\53bc46768102cb1c57090ab315eba36d22b7ee85f34ab6e9b15f7cce6aacb215.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\zholwg.exe
        zholwg.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

    Filesize

    333KB

    MD5

    5a74f1a22e11a717cff8bd4f6f18913d

    SHA1

    459db43f79a38a9d67aeb248328039eb6c77ac43

    SHA256

    0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

    SHA512

    bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

    Filesize

    333KB

    MD5

    5a74f1a22e11a717cff8bd4f6f18913d

    SHA1

    459db43f79a38a9d67aeb248328039eb6c77ac43

    SHA256

    0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

    SHA512

    bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\zholwg.exe

    Filesize

    18KB

    MD5

    220d8ec3964ca685a336a8e64f28fc81

    SHA1

    1401474830040841961ab49a266a940ea13aee91

    SHA256

    31e95fe36fd3edbed947759af089577b0cd8fc9f42a6b18c482d53b55c9af406

    SHA512

    67ee6612a3911f02240ac12e47edbd6de94de50150d7b0b6a340b1f0712638e5d2f760fff4e41cbee115ce544746bf78f77a6fa910f16a2599c3bb333fc1a862

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\zholwg.exe

    Filesize

    18KB

    MD5

    220d8ec3964ca685a336a8e64f28fc81

    SHA1

    1401474830040841961ab49a266a940ea13aee91

    SHA256

    31e95fe36fd3edbed947759af089577b0cd8fc9f42a6b18c482d53b55c9af406

    SHA512

    67ee6612a3911f02240ac12e47edbd6de94de50150d7b0b6a340b1f0712638e5d2f760fff4e41cbee115ce544746bf78f77a6fa910f16a2599c3bb333fc1a862

  • C:\Users\Admin\AppData\Local\Temp\elementpt.dll

    Filesize

    25KB

    MD5

    0de9ad04546ca648ae0f8568c30bf4c2

    SHA1

    3a99c074da19ac4f5a55e7102f4e6914d3876722

    SHA256

    ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c

    SHA512

    19995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e

  • C:\Users\Admin\AppData\Local\Temp\elementpt.dll

    Filesize

    25KB

    MD5

    0de9ad04546ca648ae0f8568c30bf4c2

    SHA1

    3a99c074da19ac4f5a55e7102f4e6914d3876722

    SHA256

    ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c

    SHA512

    19995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e

  • C:\Users\Admin\AppData\Local\Temp\elementpt.dll

    Filesize

    25KB

    MD5

    0de9ad04546ca648ae0f8568c30bf4c2

    SHA1

    3a99c074da19ac4f5a55e7102f4e6914d3876722

    SHA256

    ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c

    SHA512

    19995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e

  • C:\Users\Admin\AppData\Local\Temp\elementpt.dll

    Filesize

    25KB

    MD5

    0de9ad04546ca648ae0f8568c30bf4c2

    SHA1

    3a99c074da19ac4f5a55e7102f4e6914d3876722

    SHA256

    ec934d537f95c81a01eafb4312a7d4f21b912512db9fe79984cd7d1763e8493c

    SHA512

    19995a5b79ec31e122232f7fd9ca3caff68f5ae1155fefcf46dfa760b60e92b4c4190b514bfb72e096210919cf6fb4f394252c68fe2d30b93796242d1584633e

  • memory/772-136-0x0000000000000000-mapping.dmp

  • memory/772-139-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/772-144-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/772-147-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1944-145-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2884-135-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

  • memory/2884-132-0x0000000000000000-mapping.dmp

  • memory/2884-146-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB