Analysis

  • max time kernel
    41s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 22:02

General

  • Target

    01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f.exe

  • Size

    1.7MB

  • MD5

    6d1968a29a85d8da0aba07325a112470

  • SHA1

    8c33dd887ee77217bbe45cac603af501884eac06

  • SHA256

    01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f

  • SHA512

    71e3c16b1eaf63953732abf19f90826c730b22bcf283889843628cfe1218268c1ad714ef71005c32e03fc8921b9bcced5e670d330df62ef9c0868b05d48c4f96

  • SSDEEP

    24576:xthEVaPqLB/OXA8faoMTRpyiLthEVaPqLB/OXA8faoMTRpyiZ:pEVUcwkB3VfEVUcwkB3VZ

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f.exe
    "C:\Users\Admin\AppData\Local\Temp\01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f.exe
      C:\Users\Admin\AppData\Local\Temp\01ec0b4c297da51d2cda52fd4d2f164874bd797fd699357d999e8228aee8e41f.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\test.a3x"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1924
      • \??\c:\windows\SysWOW64\svchost.exe
        "c:\windows\system32\svchost.exe"
        3⤵
          PID:2024

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\test.a3x
      Filesize

      397KB

      MD5

      4e4cddd13c848074c11d4f1d291c6aba

      SHA1

      53e0002cead55ba20ef6261b1a43967e612fb558

      SHA256

      4070ad29af1c0328ceec6b7032f2ff7fa94ee4adaead367f32c549d13ebbcf77

      SHA512

      261bca93ac6b50af8c96b22d74b5a740380516869b3773c5f162924e8825770ebf6b65da83ac578cb592cfe9997bee8433e55648d32c2f2da83297904fbebb76

    • memory/1916-54-0x0000000075A81000-0x0000000075A83000-memory.dmp
      Filesize

      8KB

    • memory/1916-55-0x0000000000400000-0x0000000000516000-memory.dmp
      Filesize

      1.1MB

    • memory/1916-59-0x0000000000400000-0x0000000000516000-memory.dmp
      Filesize

      1.1MB

    • memory/1924-56-0x0000000000000000-mapping.dmp
    • memory/1924-62-0x0000000000400000-0x0000000000516000-memory.dmp
      Filesize

      1.1MB

    • memory/2024-61-0x00000000004CFB50-mapping.dmp