Overview

overview

10

Static

static

181a0d1578...cf.exe

windows7-x64

10

181a0d1578...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    181a0d1578b0434ef24edde5a17ec12299ffbbf46b1a57e65dad4b71818c9ccf.exe

  • Size

    524KB

  • MD5

    002054540ed137853e3ec77b979e6d9a

  • SHA1

    c74a55cf44167cf56f3baf547228a58e488030ac

  • SHA256

    181a0d1578b0434ef24edde5a17ec12299ffbbf46b1a57e65dad4b71818c9ccf

  • SHA512

    e2f7f7c4340f387eae6875ece36081ff98ee4f61150f56522f49b7ef2f4203ae2dcef77b77b4349fb9241f85cca0caafcc84111b3a716211f9ddbc251e719dc1

  • SSDEEP

    12288:+SFMFpuhRp8tmnkX4C4IosE/rSkU19Zt/kMM22:JF+u+gkX3o1jSkErM2

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2576
    • C:\Users\Admin\AppData\Local\Temp\181a0d1578b0434ef24edde5a17ec12299ffbbf46b1a57e65dad4b71818c9ccf.exe
      "C:\Users\Admin\AppData\Local\Temp\181a0d1578b0434ef24edde5a17ec12299ffbbf46b1a57e65dad4b71818c9ccf.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\JB3O2vP3.exe
        C:\Users\Admin\JB3O2vP3.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\Users\Admin\jeuac.exe
          "C:\Users\Admin\jeuac.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del JB3O2vP3.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3488
      • C:\Users\Admin\2sun.exe
        C:\Users\Admin\2sun.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Users\Admin\2sun.exe
          "C:\Users\Admin\2sun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3656
        • C:\Users\Admin\2sun.exe
          "C:\Users\Admin\2sun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4876
        • C:\Users\Admin\2sun.exe
          "C:\Users\Admin\2sun.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2892
        • C:\Users\Admin\2sun.exe
          "C:\Users\Admin\2sun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:456
        • C:\Users\Admin\2sun.exe
          "C:\Users\Admin\2sun.exe"
          4⤵
          • Executes dropped EXE
          PID:3324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 80
            5⤵
            • Program crash
            PID:3364
      • C:\Users\Admin\3sun.exe
        C:\Users\Admin\3sun.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Users\Admin\AppData\Local\2aebb42b\X
          *0*bc*6693b3fb*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3100
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1316
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del 181a0d1578b0434ef24edde5a17ec12299ffbbf46b1a57e65dad4b71818c9ccf.exe
          3⤵
            PID:4544
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2336
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3324 -ip 3324
        1⤵
          PID:2004

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\2sun.exe
          Filesize

          128KB

          MD5

          cba16c1a489b02c4ff5720c68f35f787

          SHA1

          bd3d817f02e1492d246c067a6ddf3e0ec33d86c3

          SHA256

          0235b18287b0a3833cb877713019c2679a7699b2c848b16bfdf50244f8556e80

          SHA512

          00740a1e2bd2bba0f4f2486914fe1c885064d5dc6389561697e357a354e8cdc6707f4bd542c02179020ef69c6d9f1d3503eaf0111bb9c1eba1a64a194cb9c345

          Download Submit

        • C:\Users\Admin\3sun.exe
          Filesize

          278KB

          MD5

          345cbbd3a56a313f804b997f8cbecb2b

          SHA1

          9978d6f5bca8ab1486573ff073661e7cfd40c365

          SHA256

          492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

          SHA512

          5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

          Download Submit

        • C:\Users\Admin\3sun.exe
          Filesize

          278KB

          MD5

          345cbbd3a56a313f804b997f8cbecb2b

          SHA1

          9978d6f5bca8ab1486573ff073661e7cfd40c365

          SHA256

          492c8cf86fcfa07fcf5716b17593a9ec265c5aa919c2fe563a34ece1580b055c

          SHA512

          5cdb8b00ab0d653a34b3d1b2871ebeb0badfe223779dce775adf00d577a2931f77c1e6d92cda719e32a8683f6f729179f128472efdf6ec0ac18cbdbcfbbc237d

          Download Submit

        • C:\Users\Admin\AppData\Local\2aebb42b\X
          Filesize

          38KB

          MD5

          72de2dadaf875e2fd7614e100419033c

          SHA1

          5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

          SHA256

          c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

          SHA512

          e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

          Download Submit

        • C:\Users\Admin\AppData\Local\2aebb42b\X
          Filesize

          38KB

          MD5

          72de2dadaf875e2fd7614e100419033c

          SHA1

          5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

          SHA256

          c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

          SHA512

          e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

          Download Submit

        • C:\Users\Admin\JB3O2vP3.exe
          Filesize

          228KB

          MD5

          290d691efc05b13247d2f6d8952a215b

          SHA1

          a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

          SHA256

          43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

          SHA512

          8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

          Download Submit

        • C:\Users\Admin\JB3O2vP3.exe
          Filesize

          228KB

          MD5

          290d691efc05b13247d2f6d8952a215b

          SHA1

          a885524eae321c2d025dd8e2fe4c8dd76dfb0ca0

          SHA256

          43b951fb64328c15a0592d228e90f05be14b4f18a902c35b5c0451020e1d82be

          SHA512

          8dfdcdd93b47db1b490a80fd1c483e5f10d18d782f34562bf7313039040c69878fb1d6ad22f1b3d6e48dcc8db507c430f11b1a976b48f9cd1769400fba4c150e

          Download Submit

        • C:\Users\Admin\jeuac.exe
          Filesize

          228KB

          MD5

          a112e62c3a277db5fa1eabe33c3ed65a

          SHA1

          3d6c483dd1f49b7efd58c28a10495519db96115d

          SHA256

          7b88dabd00eb735dec983892087faa8fc0d74a90cb00d02d72818f1c8e6b0a61

          SHA512

          008c81e79b75359911decd8f3103a45498870d2ac56d4cf04bc9cf159fe6255360d0646a0e1f59ab0e6629810ac43811386b7807b977760a91518a1c7fc7c87e

          Download Submit

        • C:\Users\Admin\jeuac.exe
          Filesize

          228KB

          MD5

          a112e62c3a277db5fa1eabe33c3ed65a

          SHA1

          3d6c483dd1f49b7efd58c28a10495519db96115d

          SHA256

          7b88dabd00eb735dec983892087faa8fc0d74a90cb00d02d72818f1c8e6b0a61

          SHA512

          008c81e79b75359911decd8f3103a45498870d2ac56d4cf04bc9cf159fe6255360d0646a0e1f59ab0e6629810ac43811386b7807b977760a91518a1c7fc7c87e

          Download Submit

        • memory/456-176-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/456-184-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/456-170-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/456-178-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2892-164-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2892-172-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2892-175-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2892-183-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3528-189-0x0000000030670000-0x00000000306C1000-memory.dmp

          Filesize

          324KB

          Download

        • memory/3528-190-0x000000000081F000-0x0000000000854000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3528-195-0x0000000030670000-0x00000000306C1000-memory.dmp

          Filesize

          324KB

          Download

        • memory/3528-196-0x000000000081F000-0x0000000000854000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3656-158-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3656-181-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3656-185-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3656-156-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3656-152-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4876-162-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4876-163-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4876-157-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4876-182-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download