Overview

overview

10

Static

static

ff25ff7b8b...58.exe

windows7-x64

10

ff25ff7b8b...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff25ff7b8b80412ed64551e921d83b2fa0e553a7fc89769695364df9f579eb58.exe

  • Size

    416KB

  • MD5

    04c27cb013b9276d731d107cf13569d1

  • SHA1

    d7f2dd7403613d44195d19c6b7c6e7d6db91c757

  • SHA256

    ff25ff7b8b80412ed64551e921d83b2fa0e553a7fc89769695364df9f579eb58

  • SHA512

    93e6c251f8e9af1d956566e2637746ae9577e87933ca53033ae0c35696a903fd5570e427e937f1d410267dc150ccc465f0ae2c195fd95bfd3373ec3fd0ddda8c

  • SSDEEP

    12288:yDLOhQiq/baOtDO5k+XWsJQrrUmhiK2thyHRU:yDuQiqjklWhiTyHRU

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\ff25ff7b8b80412ed64551e921d83b2fa0e553a7fc89769695364df9f579eb58.exe
      "C:\Users\Admin\AppData\Local\Temp\ff25ff7b8b80412ed64551e921d83b2fa0e553a7fc89769695364df9f579eb58.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Users\Admin\ynS4WJZ6.exe
        C:\Users\Admin\ynS4WJZ6.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\maoufo.exe
          "C:\Users\Admin\maoufo.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ynS4WJZ6.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1212
      • C:\Users\Admin\2aid.exe
        C:\Users\Admin\2aid.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Users\Admin\2aid.exe
          "C:\Users\Admin\2aid.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1036
      • C:\Users\Admin\3aid.exe
        C:\Users\Admin\3aid.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1204
        • C:\Users\Admin\4aid.exe
          C:\Users\Admin\4aid.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1956
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del ff25ff7b8b80412ed64551e921d83b2fa0e553a7fc89769695364df9f579eb58.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:932
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      1⤵
        PID:872
      • C:\Windows\system32\csrss.exe
        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
        1⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\2aid.exe
        Filesize

        72KB

        MD5

        bfd48191f79f45416e67efe6a8f25d5d

        SHA1

        ae31da442af2fe6ef7f960c3a50a3250baeafd8e

        SHA256

        8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

        SHA512

        2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

        Download Submit

      • C:\Users\Admin\2aid.exe
        Filesize

        72KB

        MD5

        bfd48191f79f45416e67efe6a8f25d5d

        SHA1

        ae31da442af2fe6ef7f960c3a50a3250baeafd8e

        SHA256

        8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

        SHA512

        2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

        Download Submit

      • C:\Users\Admin\2aid.exe
        Filesize

        72KB

        MD5

        bfd48191f79f45416e67efe6a8f25d5d

        SHA1

        ae31da442af2fe6ef7f960c3a50a3250baeafd8e

        SHA256

        8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

        SHA512

        2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

        Download Submit

      • C:\Users\Admin\3aid.exe
        Filesize

        208KB

        MD5

        914c8e336d83ca18bde8ec3d6dd5d852

        SHA1

        85fd8a4c0114a421d05ca78be872def090b217b8

        SHA256

        0061ffc16cd3615e7d30f22a69d65642cb13f55a357da9f379ebe904168bbe5e

        SHA512

        578e6b94bf576359daf96cc097c5798c9a1b8f3a47ba3f4f0707503ce32f78fafb6f0540a95f2ba311223e14be8f192468a4f3c644fe9cff9198e8ead92c0673

        Download Submit

      • C:\Users\Admin\3aid.exe
        Filesize

        208KB

        MD5

        914c8e336d83ca18bde8ec3d6dd5d852

        SHA1

        85fd8a4c0114a421d05ca78be872def090b217b8

        SHA256

        0061ffc16cd3615e7d30f22a69d65642cb13f55a357da9f379ebe904168bbe5e

        SHA512

        578e6b94bf576359daf96cc097c5798c9a1b8f3a47ba3f4f0707503ce32f78fafb6f0540a95f2ba311223e14be8f192468a4f3c644fe9cff9198e8ead92c0673

        Download Submit

      • C:\Users\Admin\4aid.exe
        Filesize

        44KB

        MD5

        27ddac23e41b3aba1371229bc3114ebe

        SHA1

        70e7b60767a38a27d22b03415006c5a265fe5e93

        SHA256

        afa5e7176ef811c85155cb18eed520d12c1bedc2c3e3e1775a197c8a687e3614

        SHA512

        e18dc372eff827a6590c3ff9a83d428ce2fef6682b9a0ddf667489f5d148472b6f9f6239c4df68eae43c377a4c1f633c45221902044288cdbfdf20708cdd1ebd

        Download Submit

      • C:\Users\Admin\maoufo.exe
        Filesize

        292KB

        MD5

        70795dd75771f0db3e51fb3a8cbed93c

        SHA1

        75c21ee860b9c779faa5239d4c0f40bc33db91b5

        SHA256

        93fba1256be48a17710b87cdf2eb74307db5363f54ad62ad620cf677a4578486

        SHA512

        0ebf363945701fec1148ebabb5a472d9ac96d89a5f3581a5f62920e69c06990cadeafa2c59e9b502c32e1aa62276dd99062e010f28aeb2d5e41d1b2bff935648

        Download Submit

      • C:\Users\Admin\maoufo.exe
        Filesize

        292KB

        MD5

        70795dd75771f0db3e51fb3a8cbed93c

        SHA1

        75c21ee860b9c779faa5239d4c0f40bc33db91b5

        SHA256

        93fba1256be48a17710b87cdf2eb74307db5363f54ad62ad620cf677a4578486

        SHA512

        0ebf363945701fec1148ebabb5a472d9ac96d89a5f3581a5f62920e69c06990cadeafa2c59e9b502c32e1aa62276dd99062e010f28aeb2d5e41d1b2bff935648

        Download Submit

      • C:\Users\Admin\ynS4WJZ6.exe
        Filesize

        292KB

        MD5

        b336ee551b4c80dde9f97aec73ea26bd

        SHA1

        fb0be70476d28d89187b369bf73a98fb040d9c0b

        SHA256

        a381f7f881ff01be2dda54067ea7e182044f130b7a69c339968262ec90180649

        SHA512

        5348846868a3f257c692dda8dfd9b7ddb0a39053de8f2b521dce7964139dbd07f5a5108a2186c491a152d932da8355b98d39babeec712175d9caeb0633784a52

        Download Submit

      • C:\Users\Admin\ynS4WJZ6.exe
        Filesize

        292KB

        MD5

        b336ee551b4c80dde9f97aec73ea26bd

        SHA1

        fb0be70476d28d89187b369bf73a98fb040d9c0b

        SHA256

        a381f7f881ff01be2dda54067ea7e182044f130b7a69c339968262ec90180649

        SHA512

        5348846868a3f257c692dda8dfd9b7ddb0a39053de8f2b521dce7964139dbd07f5a5108a2186c491a152d932da8355b98d39babeec712175d9caeb0633784a52

        Download Submit

      • C:\Windows\system32\consrv.dll
        Filesize

        53KB

        MD5

        d1c9e07123216e8836e7988794cd3c75

        SHA1

        a1061c34544c9377449e186074404e0dd1009994

        SHA256

        334bd46d5f3ba098c11827982715c0ff98e2aa1c2361b9702b222949e7e5730c

        SHA512

        06014da3030fa66fbf64f9dd0c9c229390c93dedcb2c6f53aff810a7d0054c05c514804ea9dbae3d6ec1f13b45b4dd844a7e1ec1706e5a7ae16be8e8a760898b

        Download Submit

      • \??\globalroot\systemroot\assembly\temp\@
        Filesize

        2KB

        MD5

        55e83789cd0307663aa66d5a0d582202

        SHA1

        85d2ffe5a7bf2f7fc43705a2bb953bc981540212

        SHA256

        926c4cb12b70c3927068d16bcc8a16033559b01b14b28e9ac4dc08836ce4d6bc

        SHA512

        04160134d505d8c07ecae0bbe5b904fd82bde5505368132be10ff4dc6a5965cccd00848c234575006f8b729aa322aea392fbe5a4eaf7b0aa98063fd68f3f1af8

        Download Submit

      • \Users\Admin\2aid.exe
        Filesize

        72KB

        MD5

        bfd48191f79f45416e67efe6a8f25d5d

        SHA1

        ae31da442af2fe6ef7f960c3a50a3250baeafd8e

        SHA256

        8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

        SHA512

        2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

        Download Submit

      • \Users\Admin\2aid.exe
        Filesize

        72KB

        MD5

        bfd48191f79f45416e67efe6a8f25d5d

        SHA1

        ae31da442af2fe6ef7f960c3a50a3250baeafd8e

        SHA256

        8271c7ff81aeb4d60ddf9b7c6c5c7e9a391324b999184f79bac6fcd411f804f5

        SHA512

        2b2ff2c152e6ddf98d5e1043b456f080178a61413aa37a12166759a32a7b8ae98e8adcd90c76d4601c7da1334589fe93e4691e51f90dac70d74e954d06a246b8

        Download Submit

      • \Users\Admin\3aid.exe
        Filesize

        208KB

        MD5

        914c8e336d83ca18bde8ec3d6dd5d852

        SHA1

        85fd8a4c0114a421d05ca78be872def090b217b8

        SHA256

        0061ffc16cd3615e7d30f22a69d65642cb13f55a357da9f379ebe904168bbe5e

        SHA512

        578e6b94bf576359daf96cc097c5798c9a1b8f3a47ba3f4f0707503ce32f78fafb6f0540a95f2ba311223e14be8f192468a4f3c644fe9cff9198e8ead92c0673

        Download Submit

      • \Users\Admin\3aid.exe
        Filesize

        208KB

        MD5

        914c8e336d83ca18bde8ec3d6dd5d852

        SHA1

        85fd8a4c0114a421d05ca78be872def090b217b8

        SHA256

        0061ffc16cd3615e7d30f22a69d65642cb13f55a357da9f379ebe904168bbe5e

        SHA512

        578e6b94bf576359daf96cc097c5798c9a1b8f3a47ba3f4f0707503ce32f78fafb6f0540a95f2ba311223e14be8f192468a4f3c644fe9cff9198e8ead92c0673

        Download Submit

      • \Users\Admin\4aid.exe
        Filesize

        44KB

        MD5

        27ddac23e41b3aba1371229bc3114ebe

        SHA1

        70e7b60767a38a27d22b03415006c5a265fe5e93

        SHA256

        afa5e7176ef811c85155cb18eed520d12c1bedc2c3e3e1775a197c8a687e3614

        SHA512

        e18dc372eff827a6590c3ff9a83d428ce2fef6682b9a0ddf667489f5d148472b6f9f6239c4df68eae43c377a4c1f633c45221902044288cdbfdf20708cdd1ebd

        Download Submit

      • \Users\Admin\4aid.exe
        Filesize

        44KB

        MD5

        27ddac23e41b3aba1371229bc3114ebe

        SHA1

        70e7b60767a38a27d22b03415006c5a265fe5e93

        SHA256

        afa5e7176ef811c85155cb18eed520d12c1bedc2c3e3e1775a197c8a687e3614

        SHA512

        e18dc372eff827a6590c3ff9a83d428ce2fef6682b9a0ddf667489f5d148472b6f9f6239c4df68eae43c377a4c1f633c45221902044288cdbfdf20708cdd1ebd

        Download Submit

      • \Users\Admin\maoufo.exe
        Filesize

        292KB

        MD5

        70795dd75771f0db3e51fb3a8cbed93c

        SHA1

        75c21ee860b9c779faa5239d4c0f40bc33db91b5

        SHA256

        93fba1256be48a17710b87cdf2eb74307db5363f54ad62ad620cf677a4578486

        SHA512

        0ebf363945701fec1148ebabb5a472d9ac96d89a5f3581a5f62920e69c06990cadeafa2c59e9b502c32e1aa62276dd99062e010f28aeb2d5e41d1b2bff935648

        Download Submit

      • \Users\Admin\maoufo.exe
        Filesize

        292KB

        MD5

        70795dd75771f0db3e51fb3a8cbed93c

        SHA1

        75c21ee860b9c779faa5239d4c0f40bc33db91b5

        SHA256

        93fba1256be48a17710b87cdf2eb74307db5363f54ad62ad620cf677a4578486

        SHA512

        0ebf363945701fec1148ebabb5a472d9ac96d89a5f3581a5f62920e69c06990cadeafa2c59e9b502c32e1aa62276dd99062e010f28aeb2d5e41d1b2bff935648

        Download Submit

      • \Users\Admin\ynS4WJZ6.exe
        Filesize

        292KB

        MD5

        b336ee551b4c80dde9f97aec73ea26bd

        SHA1

        fb0be70476d28d89187b369bf73a98fb040d9c0b

        SHA256

        a381f7f881ff01be2dda54067ea7e182044f130b7a69c339968262ec90180649

        SHA512

        5348846868a3f257c692dda8dfd9b7ddb0a39053de8f2b521dce7964139dbd07f5a5108a2186c491a152d932da8355b98d39babeec712175d9caeb0633784a52

        Download Submit

      • \Users\Admin\ynS4WJZ6.exe
        Filesize

        292KB

        MD5

        b336ee551b4c80dde9f97aec73ea26bd

        SHA1

        fb0be70476d28d89187b369bf73a98fb040d9c0b

        SHA256

        a381f7f881ff01be2dda54067ea7e182044f130b7a69c339968262ec90180649

        SHA512

        5348846868a3f257c692dda8dfd9b7ddb0a39053de8f2b521dce7964139dbd07f5a5108a2186c491a152d932da8355b98d39babeec712175d9caeb0633784a52

        Download Submit

      • \Windows\System32\consrv.dll
        Filesize

        53KB

        MD5

        d1c9e07123216e8836e7988794cd3c75

        SHA1

        a1061c34544c9377449e186074404e0dd1009994

        SHA256

        334bd46d5f3ba098c11827982715c0ff98e2aa1c2361b9702b222949e7e5730c

        SHA512

        06014da3030fa66fbf64f9dd0c9c229390c93dedcb2c6f53aff810a7d0054c05c514804ea9dbae3d6ec1f13b45b4dd844a7e1ec1706e5a7ae16be8e8a760898b

        Download Submit

      • memory/332-115-0x0000000000A50000-0x0000000000A62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/572-99-0x0000000000220000-0x000000000024B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/572-114-0x0000000030670000-0x00000000306A4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/572-97-0x0000000030670000-0x00000000306A4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/572-100-0x0000000030670000-0x00000000306A4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/872-137-0x00000000007F0000-0x00000000007F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/872-125-0x0000000000800000-0x000000000080B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/872-129-0x0000000000800000-0x000000000080B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/872-136-0x0000000000810000-0x000000000081B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/872-135-0x00000000007F0000-0x00000000007F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/872-133-0x0000000000800000-0x000000000080B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/872-138-0x0000000000810000-0x000000000081B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1036-83-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-86-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-85-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-82-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-90-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-98-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1036-91-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1404-109-0x0000000002160000-0x0000000002166000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1404-105-0x0000000002160000-0x0000000002166000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1404-101-0x0000000002160000-0x0000000002166000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1980-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

        Filesize

        8KB

        Download