20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
Size

4.0MB
MD5

65b220e862ed1d275efb9562866c4c44
SHA1

45684bb0a95db0abf03004f66c835b05dbf77fd2
SHA256

20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda
SHA512

f198506e7c380d8fe25231a1f857ca1d1919f5bea97e6e41d46ff249c37304292854f2d9797d6fd493a736f9f26bbd700267d9f263c9508672bb023967316902
SSDEEP

98304:Gdktdnfnwp3oOLuB/3/um1UCwW7MkdynA+0sfY:/tdn/izLsum2CFwSynT0r

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-54-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\W:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\X:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\F:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\L:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\E:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\H:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\N:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\P:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\T:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\A:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\B:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\O:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\Q:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\S:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\G:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\K:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\R:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\U:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\V:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\Y:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\Z:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\I:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened (read-only)	\??\J:	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened for modification	C:\autorun.inf	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NetInfo.exe	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
File opened for modification	C:\Windows\SysWOW64\NetInfo.exe	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe

C:\Users\Admin\AppData\Local\Temp\20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe
"C:\Users\Admin\AppData\Local\Temp\20fbda5239a6d096191510fdc42ed25406088a6e0f2b33fc48f4e51d3daaddda.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1660