5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
Size

194KB
MD5

1201df5c7b678636b781e9215fdd3c7c
SHA1

76205d217a643ecc3a7c40a98b73df690570a09f
SHA256

5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5
SHA512

238dfc9088221ddf9f6dbab500362dcadadec582ec4183cda2d55a4ea2c8d3298195f3b145336a36eefba0f6e64c7ec923b6d1d051671b2c6f76923ebdb7125d
SSDEEP

3072:2xyylW5m9/MGpqUFay+qW+DDZ6GwBoFbs90zdTWW78UJvFDIsAHGCGzNCFNytOo1:CyUbwUFoq35sGI90zxj8UBgHGCN0

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1372	server.exe
1296	LIVEMACRO_07d.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1376-71-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LIVEMACRO_07d.exe	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\server.exe	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe
1296	LIVEMACRO_07d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1372	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	26
PID 1376 wrote to memory of 1372	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	26
PID 1376 wrote to memory of 1372	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	26
PID 1376 wrote to memory of 1372	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	26
PID 1376 wrote to memory of 1296	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	27
PID 1376 wrote to memory of 1296	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	27
PID 1376 wrote to memory of 1296	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	27
PID 1376 wrote to memory of 1296	1376	5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe	27
PID 1296 wrote to memory of 1740	1296	LIVEMACRO_07d.exe	29
PID 1296 wrote to memory of 1740	1296	LIVEMACRO_07d.exe	29
PID 1296 wrote to memory of 1740	1296	LIVEMACRO_07d.exe	29
PID 1296 wrote to memory of 1740	1296	LIVEMACRO_07d.exe	29

C:\Users\Admin\AppData\Local\Temp\5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe
"C:\Users\Admin\AppData\Local\Temp\5998366f636f9bda6c4cd1334e877a60272bc0e6a7ede1a1e606c45b7da9f4d5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\server.exe
  "C:\Program Files (x86)\server.exe"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\SysWOW64\LIVEMACRO_07d.exe
  "C:\Windows\system32\LIVEMACRO_07d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
C:\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
C:\Windows\SysWOW64\LIVEMACRO_07d.exe

Filesize
168KB

MD5
488453ccf581eb49ca793a28fce78368

SHA1
6d8c74f18d9d0928147ba7705dac43668524d902

SHA256
a7ec3360fc1602e670b4379f1e471f54f7dce425fa5e3222984ebde5c7a0cd89

SHA512
6aac82edf51d2876c7a02d691d67bbf3a8778ce134b361a8af1f323edb81a22560677b95c5832b5cda01f5969c45df78996b46ea002cfcb41ba88252ef194da2

Download Submit
\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
\Program Files (x86)\server.exe

Filesize
28KB

MD5
2c5f4414d794c8eb192942ad48053299

SHA1
7829a8830bd3e8def7bdd540b37094defafe6b5c

SHA256
f2487b94d5678c63ef67464bd2e957f0f83ac9bf3811ba1cf0a5fb053f2fe19a

SHA512
9ed5cdcb787a7298a4ce1b7130381192d480127cc7fb4ba526fffb2e060d14f6ef4b7aa07558f802df867d4bfe645d69b036bd5a589deed23dc694f699306f07

Download Submit
\Windows\SysWOW64\LIVEMACRO_07d.exe

Filesize
168KB

MD5
488453ccf581eb49ca793a28fce78368

SHA1
6d8c74f18d9d0928147ba7705dac43668524d902

SHA256
a7ec3360fc1602e670b4379f1e471f54f7dce425fa5e3222984ebde5c7a0cd89

SHA512
6aac82edf51d2876c7a02d691d67bbf3a8778ce134b361a8af1f323edb81a22560677b95c5832b5cda01f5969c45df78996b46ea002cfcb41ba88252ef194da2

Download Submit
\Windows\SysWOW64\LIVEMACRO_07d.exe

Filesize
168KB

MD5
488453ccf581eb49ca793a28fce78368

SHA1
6d8c74f18d9d0928147ba7705dac43668524d902

SHA256
a7ec3360fc1602e670b4379f1e471f54f7dce425fa5e3222984ebde5c7a0cd89

SHA512
6aac82edf51d2876c7a02d691d67bbf3a8778ce134b361a8af1f323edb81a22560677b95c5832b5cda01f5969c45df78996b46ea002cfcb41ba88252ef194da2

Download Submit
\Windows\SysWOW64\LIVEMACRO_07d.exe

Filesize
168KB

MD5
488453ccf581eb49ca793a28fce78368

SHA1
6d8c74f18d9d0928147ba7705dac43668524d902

SHA256
a7ec3360fc1602e670b4379f1e471f54f7dce425fa5e3222984ebde5c7a0cd89

SHA512
6aac82edf51d2876c7a02d691d67bbf3a8778ce134b361a8af1f323edb81a22560677b95c5832b5cda01f5969c45df78996b46ea002cfcb41ba88252ef194da2

Download Submit
\Windows\SysWOW64\LIVEMACRO_07d.exe

Filesize
168KB

MD5
488453ccf581eb49ca793a28fce78368

SHA1
6d8c74f18d9d0928147ba7705dac43668524d902

SHA256
a7ec3360fc1602e670b4379f1e471f54f7dce425fa5e3222984ebde5c7a0cd89

SHA512
6aac82edf51d2876c7a02d691d67bbf3a8778ce134b361a8af1f323edb81a22560677b95c5832b5cda01f5969c45df78996b46ea002cfcb41ba88252ef194da2

Download Submit
memory/1296-69-0x0000000000000000-mapping.dmp

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1372-65-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1372-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1740-72-0x0000000000000000-mapping.dmp

Download