f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe
Size

13KB
MD5

600478d718313ffa60543c765556c8fd
SHA1

39fc3553c2b22324f64086b626c0c2b6ce86753f
SHA256

f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41
SHA512

50e708e6786065c4afd204a58c530b25123a86022ed1bbaffe254c4fc0b748b7dc1a1e83609e6700430ac56e82b34ec45532d719ee0ca6de8abaf6595cb1ca2f
SSDEEP

192:WjMVI7p0W8hKjY2Xu43GGKr8Jru9C6lcQXrdPkevZctGTfIcsGT91WtbeAvxEO:Wjp7pwKfXuXhgrglpkeCtGjIcs8AmO

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4892-132-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4892-138-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\nehack.bat	f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4132	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1152	4892	f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe	83
PID 4892 wrote to memory of 1152	4892	f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe	83
PID 4892 wrote to memory of 1152	4892	f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe	83
PID 1152 wrote to memory of 4132	1152	cmd.exe	85
PID 1152 wrote to memory of 4132	1152	cmd.exe	85
PID 1152 wrote to memory of 4132	1152	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe
"C:\Users\Admin\AppData\Local\Temp\f3fce2f686086ec373b8c84249c598e4b72273f8ad4e0443a8bb352a51813f41.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\nehack.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\nehack.bat

Filesize
101B

MD5
36d8b6674df868c7d5d776ed3c9b5318

SHA1
96a7fea8624f420eb93925222eef96c57e783f6c

SHA256
726a947bb261fb3e97f939dc6ad9df56131adf3a362cb09c20cea41ed5a5278c

SHA512
20d5fcac4df9437cba7c06d46962a6edcebeb40dd955d9aaf88abdbe9e93f97253e07d6571e8e5dfe22332c80b34582b090b556c9a2e3aa5bc11eb3d9904012c

Download Submit
memory/4892-132-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4892-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download