Overview

overview

9

Static

static

d433d9f3ef...d1.exe

windows7-x64

9

d433d9f3ef...d1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2022, 10:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d433d9f3ef340c72f2a12b0c75b22eaca233f1fc9f75770020b966cc8d6a93d1.exe

  • Size

    450KB

  • MD5

    afb37333f3ee297a9cabad051f344adc

  • SHA1

    a9882775c75e8d62299fc6e5732b0a95d95ba48a

  • SHA256

    d433d9f3ef340c72f2a12b0c75b22eaca233f1fc9f75770020b966cc8d6a93d1

  • SHA512

    caedd42f11b7f425d2abd62dea5247a70bedf348dc17dd3f8d32ec92c7b8ca525ebf2d1a20ce8538c0690e064d01e80185be289603fc7a9cf4a3fcb148c41da5

  • SSDEEP

    6144:RO9pVI6FOpWQfgTYL4HZUzkgGGP6ZOV221T+d0Sz98ijEPO:R+VIcOpWDSc5gX6z2xSGIEPO

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d433d9f3ef340c72f2a12b0c75b22eaca233f1fc9f75770020b966cc8d6a93d1.exe
    "C:\Users\Admin\AppData\Local\Temp\d433d9f3ef340c72f2a12b0c75b22eaca233f1fc9f75770020b966cc8d6a93d1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Public\Documents\unzip.exe
      "C:\Users\Public\Documents\unzip.exe" -o 1.zip
      2⤵
      • Executes dropped EXE
      PID:620
    • C:\Users\Public\Documents\test.exe
      "C:\Users\Public\Documents\test.exe" -c
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:260

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Documents\1.zip
          Filesize

          2.2MB

          MD5

          97eecc36f563e0d03b48ee31a38f021f

          SHA1

          ed16c53d4276f0a4e1b6280f169e82c68b8f8ef3

          SHA256

          b75879339cbebea035b93dcc073581ac355a4817fa7d3976217536734199eb10

          SHA512

          ff00d6915e94d76db789226a7791d789a91603146b2a73b3907fdd179154e21d28dfc4163ad3eaca5865a231af7f9b7453920fda6d39012fcb1d71d0e2e5780b

          Download Submit

        • C:\Users\Public\Documents\svchost.txt
          Filesize

          4.3MB

          MD5

          1a71ed1b4c58ec5a7ab7ecb51dcea03b

          SHA1

          7484b3f8d946ecfe7e3d1ad078d334139d59d2a9

          SHA256

          8e8a6892f7899f77b05bf11eda3220955b45bed3be9c329638d31c2417b11ee8

          SHA512

          b7cd5392d654b42163a215dcefacf5268878eec2e4bab6bb36a09e74e9b61a949cb4f01f93e19d3227efc3562f7aae788208d6f14bddcf9bb077c3d01fb214de

          Download Submit

        • C:\Users\Public\Documents\test.exe
          Filesize

          33KB

          MD5

          0ffed48741daae9a3a64461c124f1d69

          SHA1

          8d62172fb70356b8d61e8df5cb7ffcbae5616929

          SHA256

          02d0aab511ecc7311840493dc4592d3e6a7aaf735d9ca2a0e788b8ae99f3a79c

          SHA512

          4e6442fa341804d9a435ef8eddd82ae3b11c622fa5e181abebbeb7cab324a91ced9449614ba78ad34878fd29fdd123f356dceeff3905a3fb57a31c7ef6889040

          Download Submit

        • C:\Users\Public\Documents\test.exe
          Filesize

          33KB

          MD5

          0ffed48741daae9a3a64461c124f1d69

          SHA1

          8d62172fb70356b8d61e8df5cb7ffcbae5616929

          SHA256

          02d0aab511ecc7311840493dc4592d3e6a7aaf735d9ca2a0e788b8ae99f3a79c

          SHA512

          4e6442fa341804d9a435ef8eddd82ae3b11c622fa5e181abebbeb7cab324a91ced9449614ba78ad34878fd29fdd123f356dceeff3905a3fb57a31c7ef6889040

          Download Submit

        • C:\Users\Public\Documents\test123.dll
          Filesize

          72KB

          MD5

          14a95532d6b663fe84e02fe659474416

          SHA1

          4ce8e2acb914b4e29695cc13b8f1bac21c7f5604

          SHA256

          1ad1f3dbb12a574e0f93c4f62371f4bcf028f52f38bc5871ca3cb25a970c5416

          SHA512

          50ec5fc73f5f252c5cc6ad46ae52f89b7c9c7b3386474eac0e65354dcfef6a5bbef8020db73290ac5696273c592dd9e007a11981463659e26c7a4d08a3069133

          Download Submit

        • C:\Users\Public\Documents\test123.dll
          Filesize

          72KB

          MD5

          14a95532d6b663fe84e02fe659474416

          SHA1

          4ce8e2acb914b4e29695cc13b8f1bac21c7f5604

          SHA256

          1ad1f3dbb12a574e0f93c4f62371f4bcf028f52f38bc5871ca3cb25a970c5416

          SHA512

          50ec5fc73f5f252c5cc6ad46ae52f89b7c9c7b3386474eac0e65354dcfef6a5bbef8020db73290ac5696273c592dd9e007a11981463659e26c7a4d08a3069133

          Download Submit

        • C:\Users\Public\Documents\unzip.exe
          Filesize

          340KB

          MD5

          dc40dd3b36c9a8574f19fd4896a82e93

          SHA1

          a5c0666afb7edde5b9139c581e9660362613297f

          SHA256

          af29416261626e56643c167458d9ddcb720601ac1a74c996be35acb6ebd4efe6

          SHA512

          5fc83211afa507d11608a765c75d4e516f912c48c85648b647eaf35da3ccb2dd93bc5f7a2b297558fe19310873a947203a741a76d8e8b1bcbe2ff4eb7d2617ce

          Download Submit

        • C:\Users\Public\Documents\unzip.exe
          Filesize

          340KB

          MD5

          dc40dd3b36c9a8574f19fd4896a82e93

          SHA1

          a5c0666afb7edde5b9139c581e9660362613297f

          SHA256

          af29416261626e56643c167458d9ddcb720601ac1a74c996be35acb6ebd4efe6

          SHA512

          5fc83211afa507d11608a765c75d4e516f912c48c85648b647eaf35da3ccb2dd93bc5f7a2b297558fe19310873a947203a741a76d8e8b1bcbe2ff4eb7d2617ce

          Download Submit

        • memory/260-142-0x0000000001930000-0x0000000001D80000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/260-146-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB

          Download

        • memory/260-147-0x00000000014E0000-0x0000000001928000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/260-148-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB

          Download