Overview

overview

8

Static

static

8

6ab686dcf2...38.exe

windows7-x64

8

6ab686dcf2...38.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    75s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 07:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138.exe

  • Size

    36KB

  • MD5

    5b821c8266e4092ae9a1e447fcf3820c

  • SHA1

    d5bf94666d736f4fda4c5cbd335290b1b4d7c135

  • SHA256

    6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138

  • SHA512

    730ad91b6af73ff7ccef24521091fae77e87a3d5899ef3f11f7e6894bf69ee34e39d7d23716471a8f65078bb164c10db09acf889603a57e7b60885603add5855

  • SSDEEP

    768:DXym2RHT6BiHjWQR8SX8MZ0ExZqj+dqTht:Tj2IBw5F0Jt

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138.exe
    "C:\Users\Admin\AppData\Local\Temp\6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 &del 6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138.exe &start BHOCALL.EXE
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:952
      • C:\Windows\SysWOW64\BHOCALL.EXE
        BHOCALL.EXE
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c if exist C:\Users\Admin\AppData\Local\Temp\\~7ABC.tmp start C:\Users\Admin\AppData\Local\Temp\\~7ABC.tmp&ping 127.0.0.1 -n 20&if exist C:\Users\Admin\AppData\Local\Temp\\~7ABC.tmp del C:\Users\Admin\AppData\Local\Temp\\~7ABC.tmp
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\~7ABC.tmp
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~7ABC.tmp"
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:1064
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 20
            5⤵
            • Runs ping.exe
            PID:932

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\BHOCALL.EXE
          Filesize

          36KB

          MD5

          5b821c8266e4092ae9a1e447fcf3820c

          SHA1

          d5bf94666d736f4fda4c5cbd335290b1b4d7c135

          SHA256

          6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138

          SHA512

          730ad91b6af73ff7ccef24521091fae77e87a3d5899ef3f11f7e6894bf69ee34e39d7d23716471a8f65078bb164c10db09acf889603a57e7b60885603add5855

          Download Submit

        • C:\Windows\SysWOW64\BHOCALL.EXE
          Filesize

          36KB

          MD5

          5b821c8266e4092ae9a1e447fcf3820c

          SHA1

          d5bf94666d736f4fda4c5cbd335290b1b4d7c135

          SHA256

          6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138

          SHA512

          730ad91b6af73ff7ccef24521091fae77e87a3d5899ef3f11f7e6894bf69ee34e39d7d23716471a8f65078bb164c10db09acf889603a57e7b60885603add5855

          Download Submit

        • \Windows\SysWOW64\BHOCALL.EXE
          Filesize

          36KB

          MD5

          5b821c8266e4092ae9a1e447fcf3820c

          SHA1

          d5bf94666d736f4fda4c5cbd335290b1b4d7c135

          SHA256

          6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138

          SHA512

          730ad91b6af73ff7ccef24521091fae77e87a3d5899ef3f11f7e6894bf69ee34e39d7d23716471a8f65078bb164c10db09acf889603a57e7b60885603add5855

          Download Submit

        • \Windows\SysWOW64\BHOCALL.EXE
          Filesize

          36KB

          MD5

          5b821c8266e4092ae9a1e447fcf3820c

          SHA1

          d5bf94666d736f4fda4c5cbd335290b1b4d7c135

          SHA256

          6ab686dcf22216be050dd449e582d0210b83bb973f3cf7a9fac6b183bb631138

          SHA512

          730ad91b6af73ff7ccef24521091fae77e87a3d5899ef3f11f7e6894bf69ee34e39d7d23716471a8f65078bb164c10db09acf889603a57e7b60885603add5855

          Download Submit

        • memory/848-62-0x00000000751A1000-0x00000000751A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2020-55-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download