Overview

overview

10

Static

static

a8819cbedf...af.exe

windows7-x64

10

a8819cbedf...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 02:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a8819cbedfb95a7daac5ab14b5cbbb4d4a381425cd911762c53abe048d3b6eaf.exe

  • Size

    544KB

  • MD5

    30570cb9e2087e618cf937f2469dad38

  • SHA1

    c175356d6dffdab7208b7b95602c62792cd8df03

  • SHA256

    a8819cbedfb95a7daac5ab14b5cbbb4d4a381425cd911762c53abe048d3b6eaf

  • SHA512

    4b55e78243cabb22a738cdd50aa0723b5389e02509b5265555b3aa64a8ad732564e953b5e45870d96824bfb096daf65abaf50572807d34cd9d83c393d4e5ee72

  • SSDEEP

    12288:2QIWT/UzJW8ivxh7vHzgryd4GT1QOoJqbbEUqe9mJd/uB28Rr8O9F8/CwM:2QI+cJHiJRTHnxhUqEhe9suB2C8O9O

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\a8819cbedfb95a7daac5ab14b5cbbb4d4a381425cd911762c53abe048d3b6eaf.exe
      "C:\Users\Admin\AppData\Local\Temp\a8819cbedfb95a7daac5ab14b5cbbb4d4a381425cd911762c53abe048d3b6eaf.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Users\Admin\gau5f8p1.exe
        C:\Users\Admin\gau5f8p1.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\raoyiu.exe
          "C:\Users\Admin\raoyiu.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4760
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del gau5f8p1.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
      • C:\Users\Admin\2des.exe
        C:\Users\Admin\2des.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Users\Admin\2des.exe
          "C:\Users\Admin\2des.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2328
        • C:\Users\Admin\2des.exe
          "C:\Users\Admin\2des.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4304
        • C:\Users\Admin\2des.exe
          "C:\Users\Admin\2des.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1372
        • C:\Users\Admin\2des.exe
          "C:\Users\Admin\2des.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2080
        • C:\Users\Admin\2des.exe
          "C:\Users\Admin\2des.exe"
          4⤵
          • Executes dropped EXE
          PID:3100
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 80
            5⤵
            • Program crash
            PID:4744
      • C:\Users\Admin\3des.exe
        C:\Users\Admin\3des.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Users\Admin\AppData\Local\2aebb42b\X
          *0*bc*9a6cba8f*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:984
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:3756
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del a8819cbedfb95a7daac5ab14b5cbbb4d4a381425cd911762c53abe048d3b6eaf.exe
          3⤵
            PID:3516
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3100 -ip 3100
        1⤵
          PID:224

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\2des.exe
                Filesize

                132KB

                MD5

                da081a5c83e9130e96acb301295bb14b

                SHA1

                4e46aa4b39ea48c86838432e2724d7d3c508ab01

                SHA256

                7ff325379204c4ab4a2a8cd60f5299eba0582c4fe52014689fd69008d1154646

                SHA512

                46c1c1f0121bb1cd75656461a0e8044b665dc3601a79053516f7092b8230fb08be91eca4da1933d0719a78cf91699d1f6e641d06b3f21cdc5f3d97bcc9b381e1

                Download Submit

              • C:\Users\Admin\3des.exe
                Filesize

                286KB

                MD5

                cb278b7760c080ea4f57aea471f0f674

                SHA1

                2c052b2db7a196d127c2b84b62563d0c98ec0413

                SHA256

                74cb6a456be0e9bad997e8c97475c47ab27c40d3627484f7b38a86bd01c78930

                SHA512

                dbdf6a95b53a53f3a3dd929e0b1d63d512c00e9d28bf2f05c3e63707f0208f4f311adc637bb97a9d05bdb6bad9d6c7021aeec8c99ffe7033212e7763d4046bd3

                Download Submit

              • C:\Users\Admin\3des.exe
                Filesize

                286KB

                MD5

                cb278b7760c080ea4f57aea471f0f674

                SHA1

                2c052b2db7a196d127c2b84b62563d0c98ec0413

                SHA256

                74cb6a456be0e9bad997e8c97475c47ab27c40d3627484f7b38a86bd01c78930

                SHA512

                dbdf6a95b53a53f3a3dd929e0b1d63d512c00e9d28bf2f05c3e63707f0208f4f311adc637bb97a9d05bdb6bad9d6c7021aeec8c99ffe7033212e7763d4046bd3

                Download Submit

              • C:\Users\Admin\AppData\Local\2aebb42b\X
                Filesize

                38KB

                MD5

                72de2dadaf875e2fd7614e100419033c

                SHA1

                5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

                SHA256

                c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

                SHA512

                e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

                Download Submit

              • C:\Users\Admin\AppData\Local\2aebb42b\X
                Filesize

                38KB

                MD5

                72de2dadaf875e2fd7614e100419033c

                SHA1

                5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

                SHA256

                c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

                SHA512

                e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

                Download Submit

              • C:\Users\Admin\gau5f8p1.exe
                Filesize

                252KB

                MD5

                3e152747de87d4674484a003398db051

                SHA1

                82557817b08eb981afa68701092d9f6e0d71ef79

                SHA256

                1d5897272a1b899ce244d0863e9cf743adf4a9f5838bed75b7fc6a6e31a9da3e

                SHA512

                dd726c743cac5696bf225d4b8d5cfa7b28f218eb6e7f2325e4f75d3cc4539e417210d477bafbcd82e7eb9e7b4e8ce20ae6ad30e2e7d36d949223bed0c78dcfa7

                Download Submit

              • C:\Users\Admin\gau5f8p1.exe
                Filesize

                252KB

                MD5

                3e152747de87d4674484a003398db051

                SHA1

                82557817b08eb981afa68701092d9f6e0d71ef79

                SHA256

                1d5897272a1b899ce244d0863e9cf743adf4a9f5838bed75b7fc6a6e31a9da3e

                SHA512

                dd726c743cac5696bf225d4b8d5cfa7b28f218eb6e7f2325e4f75d3cc4539e417210d477bafbcd82e7eb9e7b4e8ce20ae6ad30e2e7d36d949223bed0c78dcfa7

                Download Submit

              • C:\Users\Admin\raoyiu.exe
                Filesize

                252KB

                MD5

                7dc567381eff4eddd76add4a28ff7b3b

                SHA1

                9bdb6950a36f6c9ed2107393ec01833ac1084499

                SHA256

                936c686bdb12b298b70c36e84bdf6abaf46439d332a098dbf6dccd44b1c60a38

                SHA512

                f3009b3f0356878d483b5312e9dac02ba3bab98ed84577b92f5fecec9f9b5c98ca2d0848f72d0c8d9656cbe8aa99832244c0ef315e7ad66014506dba2c7ed9fe

                Download Submit

              • C:\Users\Admin\raoyiu.exe
                Filesize

                252KB

                MD5

                7dc567381eff4eddd76add4a28ff7b3b

                SHA1

                9bdb6950a36f6c9ed2107393ec01833ac1084499

                SHA256

                936c686bdb12b298b70c36e84bdf6abaf46439d332a098dbf6dccd44b1c60a38

                SHA512

                f3009b3f0356878d483b5312e9dac02ba3bab98ed84577b92f5fecec9f9b5c98ca2d0848f72d0c8d9656cbe8aa99832244c0ef315e7ad66014506dba2c7ed9fe

                Download Submit

              • memory/1372-163-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1372-187-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1372-178-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1372-199-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/1372-174-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2080-186-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2080-170-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2080-173-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2080-177-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2328-167-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2328-188-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2328-145-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2328-151-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2328-154-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/4304-153-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4304-159-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4304-162-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4304-169-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4976-189-0x0000000030670000-0x00000000306C2000-memory.dmp

                Filesize

                328KB

                Download

              • memory/4976-190-0x000000000093E000-0x0000000000975000-memory.dmp

                Filesize

                220KB

                Download

              • memory/4976-195-0x0000000030670000-0x00000000306C2000-memory.dmp

                Filesize

                328KB

                Download

              • memory/4976-196-0x000000000093E000-0x0000000000975000-memory.dmp

                Filesize

                220KB

                Download