Overview

overview

8

Static

static

61a01560ab...36.exe

windows7-x64

8

61a01560ab...36.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    102s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe

  • Size

    1.2MB

  • MD5

    617b022e71a5d40ebdbe5ed9507f028d

  • SHA1

    6bbacfabd060d5b75fcc5169ccde812bd50cf762

  • SHA256

    61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236

  • SHA512

    778f4a0793ff13acec4f9f415df4f0a1c17268af002f923c41c679ab250ef18f2626921f67c5d473e2c3e57f26428be5d6c6fae43be20b712ee26b6e75f1b5c2

  • SSDEEP

    24576:ynL83cUxIysopjz8WaSzjq6e9gZoXcYpYc8EigfhmYo1ISI4IBjhD:I4cUcU8k+6nZmYcFjfhmYmnIBjt

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe
    "C:\Users\Admin\AppData\Local\Temp\61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
      "C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
        "C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
          "C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
            "C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:3784
    • C:\Users\Admin\AppData\Local\Temp\UFR.exe
      "C:\Users\Admin\AppData\Local\Temp\UFR.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UFR.exe
    Filesize

    1015KB

    MD5

    eb40b0fb8931a46620f4a42258969213

    SHA1

    bfd6e0931826144b4b24b83c4abe244eebd330c2

    SHA256

    b935a9835a07ad642fe157e5b57e75092124feb750da2e383ee16593760b747e

    SHA512

    61758a07f0e7b9ea24d385822785b9bc17e039f74105227c04c746c89e1662bece9ff66e28e5b27221e52be5d584c8202a28b400e428ae62ac5869873a14e047

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UFR.exe
    Filesize

    1015KB

    MD5

    eb40b0fb8931a46620f4a42258969213

    SHA1

    bfd6e0931826144b4b24b83c4abe244eebd330c2

    SHA256

    b935a9835a07ad642fe157e5b57e75092124feb750da2e383ee16593760b747e

    SHA512

    61758a07f0e7b9ea24d385822785b9bc17e039f74105227c04c746c89e1662bece9ff66e28e5b27221e52be5d584c8202a28b400e428ae62ac5869873a14e047

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Packages\winpckg.exe
    Filesize

    47KB

    MD5

    52c502d749eb4fd9a057abaf0db2a2cd

    SHA1

    ded71c3be511c13ef7e8d10dc7303877a4a31ad9

    SHA256

    777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

    SHA512

    e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

    Download Submit

  • memory/2308-148-0x0000000000000000-mapping.dmp

    Download

  • memory/3784-161-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3784-159-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3784-153-0x0000000000000000-mapping.dmp

    Download

  • memory/4056-132-0x00007FF882410000-0x00007FF882E46000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4332-146-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4332-147-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4332-143-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4332-142-0x0000000000000000-mapping.dmp

    Download

  • memory/4332-158-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4632-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4876-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4876-139-0x0000000000400000-0x0000000000670000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4876-160-0x0000000000400000-0x0000000000670000-memory.dmp

    Filesize

    2.4MB

    Download