7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe
Size

1.0MB
MD5

6575b134dd7b050d597ef0475d0e1585
SHA1

6fbc76429ccbbf9dbdee4c86b1d61f612e70f60e
SHA256

7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e
SHA512

8628530230d14ad428d0c28bfd0e9363858c44b95a614127e7a57c284c605be19e7e6d0a5b4b5ccfdad5135f670507b23238d507c0e4e05891d05dd0e9de3014
SSDEEP

24576:MQCMf3oQlibOIQxiZY1Oa7RlOoIT40sAZw8Ts:UMPoQlATFZY1Oa7Rl+e

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
820	unpo.exe
1748	unpo.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1416	netsh.exe
664	netsh.exe

Deletes itself 1 IoCs

pid	Process
688	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	unpo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{19ED80CB-C310-6D58-B3B1-F1C53EEAA9AA} = "C:\\Users\\Admin\\AppData\\Roaming\\Sony\\unpo.exe"	unpo.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000012752-69.dat	autoit_exe
behavioral1/files/0x000a000000012752-71.dat	autoit_exe
behavioral1/files/0x000a000000012752-73.dat	autoit_exe
behavioral1/files/0x000a000000012752-84.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 820 set thread context of 1748	820	unpo.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe
1748	unpo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1416	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	26
PID 1160 wrote to memory of 1416	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	26
PID 1160 wrote to memory of 1416	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	26
PID 1160 wrote to memory of 1416	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	26
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1160 wrote to memory of 1716	1160	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	28
PID 1716 wrote to memory of 820	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	29
PID 1716 wrote to memory of 820	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	29
PID 1716 wrote to memory of 820	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	29
PID 1716 wrote to memory of 820	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	29
PID 820 wrote to memory of 664	820	unpo.exe	30
PID 820 wrote to memory of 664	820	unpo.exe	30
PID 820 wrote to memory of 664	820	unpo.exe	30
PID 820 wrote to memory of 664	820	unpo.exe	30
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 820 wrote to memory of 1748	820	unpo.exe	32
PID 1748 wrote to memory of 1244	1748	unpo.exe	12
PID 1748 wrote to memory of 1244	1748	unpo.exe	12
PID 1748 wrote to memory of 1244	1748	unpo.exe	12
PID 1748 wrote to memory of 1244	1748	unpo.exe	12
PID 1748 wrote to memory of 1244	1748	unpo.exe	12
PID 1748 wrote to memory of 1328	1748	unpo.exe	11
PID 1748 wrote to memory of 1328	1748	unpo.exe	11
PID 1748 wrote to memory of 1328	1748	unpo.exe	11
PID 1748 wrote to memory of 1328	1748	unpo.exe	11
PID 1748 wrote to memory of 1328	1748	unpo.exe	11
PID 1716 wrote to memory of 688	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	33
PID 1716 wrote to memory of 688	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	33
PID 1716 wrote to memory of 688	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	33
PID 1716 wrote to memory of 688	1716	7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe	33
PID 1748 wrote to memory of 1352	1748	unpo.exe	10
PID 1748 wrote to memory of 1352	1748	unpo.exe	10
PID 1748 wrote to memory of 1352	1748	unpo.exe	10
PID 1748 wrote to memory of 1352	1748	unpo.exe	10
PID 1748 wrote to memory of 1352	1748	unpo.exe	10
PID 1748 wrote to memory of 688	1748	unpo.exe	33
PID 1748 wrote to memory of 688	1748	unpo.exe	33
PID 1748 wrote to memory of 688	1748	unpo.exe	33
PID 1748 wrote to memory of 688	1748	unpo.exe	33
PID 1748 wrote to memory of 688	1748	unpo.exe	33
PID 1748 wrote to memory of 2036	1748	unpo.exe	34
PID 1748 wrote to memory of 896	1748	unpo.exe	35
PID 1748 wrote to memory of 896	1748	unpo.exe	35
PID 1748 wrote to memory of 896	1748	unpo.exe	35
PID 1748 wrote to memory of 896	1748	unpo.exe	35
PID 1748 wrote to memory of 896	1748	unpo.exe	35
PID 1748 wrote to memory of 1856	1748	unpo.exe	36
PID 1748 wrote to memory of 1856	1748	unpo.exe	36
PID 1748 wrote to memory of 1856	1748	unpo.exe	36
PID 1748 wrote to memory of 1856	1748	unpo.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe
  "C:\Users\Admin\AppData\Local\Temp\7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe
    "C:\Users\Admin\AppData\Local\Temp\7d83d737bae2597faf8f2ea8347e0c730a66a2049ef4bf2d7852488a34eaf17e.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\Sony\unpo.exe
      "C:\Users\Admin\AppData\Roaming\Sony\unpo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Sony\unpo.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:664
    - - C:\Users\Admin\AppData\Roaming\Sony\unpo.exe
        
        "C:\Users\Admin\AppData\Roaming\Sony\unpo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpda1d8f46.bat"
      4⤵
      Deletes itself
      PID:688

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-765640731502240946-1649747001-577595394-1052805984-128077477-1969893205-1985934563"
1⤵
PID:2036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpda1d8f46.bat

Filesize
307B

MD5
d005783f917f7a3d87f8e0b49c7bee49

SHA1
5eda6e7af02cfa8cf3fbbecac61433729fda8abd

SHA256
fa9f73202744413915ccb761dabe2ddad8587dd353fdc291c8df66059fd4cf1b

SHA512
a63780bc8eb7b524ce59bc77f10e99f0409eaef94882891cc88229c3a1555be48335a7cf85114f68972df294370dc1fdd496011525135fb907776850254ba544

Download Submit
C:\Users\Admin\AppData\Roaming\Sony\unpo.exe

Filesize
1.0MB

MD5
143bd749f9fd54bc5ec602263077614f

SHA1
761cebfad7445bc453325c089a27e56c37dff9d7

SHA256
e1fde2d8ec25d8fabdfb844b5a76bf50fd026735ed1c728de64ca28c1d05bfb7

SHA512
eb3f872f97ba9486fb22c9e0a9b2326412d03e3fca150f1c64cf2def12e6d5ad305ce558ce3d76ac12e9f38a91f76aaa1c4cb28efa85a3517cb7a82f4a4c8364

Download Submit
C:\Users\Admin\AppData\Roaming\Sony\unpo.exe

Filesize
1.0MB

MD5
143bd749f9fd54bc5ec602263077614f

SHA1
761cebfad7445bc453325c089a27e56c37dff9d7

SHA256
e1fde2d8ec25d8fabdfb844b5a76bf50fd026735ed1c728de64ca28c1d05bfb7

SHA512
eb3f872f97ba9486fb22c9e0a9b2326412d03e3fca150f1c64cf2def12e6d5ad305ce558ce3d76ac12e9f38a91f76aaa1c4cb28efa85a3517cb7a82f4a4c8364

Download Submit
C:\Users\Admin\AppData\Roaming\Sony\unpo.exe

Filesize
1.0MB

MD5
143bd749f9fd54bc5ec602263077614f

SHA1
761cebfad7445bc453325c089a27e56c37dff9d7

SHA256
e1fde2d8ec25d8fabdfb844b5a76bf50fd026735ed1c728de64ca28c1d05bfb7

SHA512
eb3f872f97ba9486fb22c9e0a9b2326412d03e3fca150f1c64cf2def12e6d5ad305ce558ce3d76ac12e9f38a91f76aaa1c4cb28efa85a3517cb7a82f4a4c8364

Download Submit
\Users\Admin\AppData\Roaming\Sony\unpo.exe

Filesize
1.0MB

MD5
143bd749f9fd54bc5ec602263077614f

SHA1
761cebfad7445bc453325c089a27e56c37dff9d7

SHA256
e1fde2d8ec25d8fabdfb844b5a76bf50fd026735ed1c728de64ca28c1d05bfb7

SHA512
eb3f872f97ba9486fb22c9e0a9b2326412d03e3fca150f1c64cf2def12e6d5ad305ce558ce3d76ac12e9f38a91f76aaa1c4cb28efa85a3517cb7a82f4a4c8364

Download Submit
memory/688-109-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/688-110-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/688-111-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/688-112-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/896-119-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/896-118-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/896-120-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/896-121-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/944-133-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/944-132-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/944-131-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/944-130-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1244-89-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/1244-90-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/1244-91-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/1244-92-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/1328-98-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1328-95-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1328-97-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1328-96-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1352-103-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1352-104-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1352-105-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1352-106-0x0000000002670000-0x0000000002697000-memory.dmp

Filesize
156KB

Download
memory/1716-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-102-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1716-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-115-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1856-127-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1856-126-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1856-125-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1856-124-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download