Overview

overview

10

Static

static

8

47d9e4a576...b7.exe

windows7-x64

10

47d9e4a576...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 14:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    47d9e4a5769898c1b8e55f8c604d995d4e6b1bf1990700c7019f362c64fa87b7.exe

  • Size

    298KB

  • MD5

    242b7f88b5fa9333e55956e11f59661b

  • SHA1

    944bbfafe516e07149312eda923f94d713f38e5f

  • SHA256

    47d9e4a5769898c1b8e55f8c604d995d4e6b1bf1990700c7019f362c64fa87b7

  • SHA512

    cd6c86120dbfc38be36c7c0b4b1dda1a8da58958fc68388d778f70445b83bca453c3b3dae0680a45a54ed36fba8b645582de550f84e1fb899b4d2bf70c9eba2a

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYR:v6Wq4aaE6KwyF5L0Y2D1PqLI

Score
10/10
evasionupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47d9e4a5769898c1b8e55f8c604d995d4e6b1bf1990700c7019f362c64fa87b7.exe
    "C:\Users\Admin\AppData\Local\Temp\47d9e4a5769898c1b8e55f8c604d995d4e6b1bf1990700c7019f362c64fa87b7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\svhost.exe
        C:\Windows\svhost.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:972

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\svhost.exe
          Filesize

          298KB

          MD5

          f8646ce3f289f93a7f659f80b767539c

          SHA1

          8b6c3aade413db0b2557040498ef052700eee59a

          SHA256

          4cd18275f7a17151c8cb65422342b0bb88d5a84ca9364b45129a7aa95258b3c1

          SHA512

          6d33a402d4461af4642863efd50a1e4026f648f937f3d5758edeb3a423504a8e6d0bd2b1d35fa8f03d376d8dc271972bdc330dc7b8662a285b4aed899db2e5f8

          Download Submit

        • C:\Windows\svhost.exe
          Filesize

          298KB

          MD5

          f8646ce3f289f93a7f659f80b767539c

          SHA1

          8b6c3aade413db0b2557040498ef052700eee59a

          SHA256

          4cd18275f7a17151c8cb65422342b0bb88d5a84ca9364b45129a7aa95258b3c1

          SHA512

          6d33a402d4461af4642863efd50a1e4026f648f937f3d5758edeb3a423504a8e6d0bd2b1d35fa8f03d376d8dc271972bdc330dc7b8662a285b4aed899db2e5f8

          Download Submit

        • C:\Windows\svhost.exe
          Filesize

          298KB

          MD5

          f8646ce3f289f93a7f659f80b767539c

          SHA1

          8b6c3aade413db0b2557040498ef052700eee59a

          SHA256

          4cd18275f7a17151c8cb65422342b0bb88d5a84ca9364b45129a7aa95258b3c1

          SHA512

          6d33a402d4461af4642863efd50a1e4026f648f937f3d5758edeb3a423504a8e6d0bd2b1d35fa8f03d376d8dc271972bdc330dc7b8662a285b4aed899db2e5f8

          Download Submit

        • memory/972-65-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/972-67-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1532-62-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1532-63-0x00000000036F0000-0x00000000037B2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1532-68-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1948-64-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1948-66-0x0000000000400000-0x00000000004C2000-memory.dmp

          Filesize

          776KB

          Download