Overview

overview

10

Static

static

1e6dd6998f...f7.exe

windows7-x64

10

1e6dd6998f...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    174s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e6dd6998fb06d1a6f8afc5bb7e7b41518179285f28553cccdb6e45adc303df7.exe

  • Size

    452KB

  • MD5

    638e0e23a8e006dce8dfded1cbff5e9e

  • SHA1

    6d846680bdf596b4df98b814a591aaa86030f12f

  • SHA256

    1e6dd6998fb06d1a6f8afc5bb7e7b41518179285f28553cccdb6e45adc303df7

  • SHA512

    8ce8d57702951f5416aaa95a163f379e2d60bab9e672d1b6463318347f50430f7fe1156b25019ec6922957c70c7fc498498d72a56884fd1c962db40ef10a90b2

  • SSDEEP

    12288:KYU476vtic2xSNc8DtoQRWIvf5qZ4KAlPfEOX:1utj22c8RVWFZ3ARsOX

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e6dd6998fb06d1a6f8afc5bb7e7b41518179285f28553cccdb6e45adc303df7.exe
    "C:\Users\Admin\AppData\Local\Temp\1e6dd6998fb06d1a6f8afc5bb7e7b41518179285f28553cccdb6e45adc303df7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\jm9su7UE.exe
      C:\Users\Admin\jm9su7UE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Users\Admin\xiufeo.exe
        "C:\Users\Admin\xiufeo.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del jm9su7UE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4736
    • C:\Users\Admin\auhost.exe
      C:\Users\Admin\auhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\auhost.exe
        "C:\Users\Admin\auhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4132
    • C:\Users\Admin\bqhost.exe
      C:\Users\Admin\bqhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:5048
      • C:\Users\Admin\elhost.exe
        C:\Users\Admin\elhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:612
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 1e6dd6998fb06d1a6f8afc5bb7e7b41518179285f28553cccdb6e45adc303df7.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2812

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\auhost.exe
      Filesize

      60KB

      MD5

      0ce1e9a2bc7b4a2b10a847acace8f337

      SHA1

      7698c4d822146dd757c6b39bdcec8d443860c099

      SHA256

      1fa5dca1771d75940cd5364edb358d914baaefdc56f2d21d573bbce22d41b205

      SHA512

      6b0be69db960889d5be8e89e92c7e3c82fa07430ebf16ad1d2fb77ad1a23d0358c0f7e44f75d16da2722abc4998cba88f6b08090b3a4b7f8b1400ae6001a1bb7

      Download Submit

    • C:\Users\Admin\auhost.exe
      Filesize

      60KB

      MD5

      0ce1e9a2bc7b4a2b10a847acace8f337

      SHA1

      7698c4d822146dd757c6b39bdcec8d443860c099

      SHA256

      1fa5dca1771d75940cd5364edb358d914baaefdc56f2d21d573bbce22d41b205

      SHA512

      6b0be69db960889d5be8e89e92c7e3c82fa07430ebf16ad1d2fb77ad1a23d0358c0f7e44f75d16da2722abc4998cba88f6b08090b3a4b7f8b1400ae6001a1bb7

      Download Submit

    • C:\Users\Admin\auhost.exe
      Filesize

      60KB

      MD5

      0ce1e9a2bc7b4a2b10a847acace8f337

      SHA1

      7698c4d822146dd757c6b39bdcec8d443860c099

      SHA256

      1fa5dca1771d75940cd5364edb358d914baaefdc56f2d21d573bbce22d41b205

      SHA512

      6b0be69db960889d5be8e89e92c7e3c82fa07430ebf16ad1d2fb77ad1a23d0358c0f7e44f75d16da2722abc4998cba88f6b08090b3a4b7f8b1400ae6001a1bb7

      Download Submit

    • C:\Users\Admin\bqhost.exe
      Filesize

      260KB

      MD5

      880ec3876f5d5687be0f9099c1d629ee

      SHA1

      6b6e56229204e16285f44684a4fa904ded59beef

      SHA256

      d65d3acf805651b38ec3c6eee1fb4efa83824fdd7e407495cdb9f6ad9b8e0c7d

      SHA512

      2fa67fd0e315ea45ea2e54afcf42ff3795b5a64326470f7bb285adb8e840ba68de02fb1d518bc34d94067b8ef7d5e2865718fff9a805193c2b6f128d546f6434

      Download Submit

    • C:\Users\Admin\bqhost.exe
      Filesize

      260KB

      MD5

      880ec3876f5d5687be0f9099c1d629ee

      SHA1

      6b6e56229204e16285f44684a4fa904ded59beef

      SHA256

      d65d3acf805651b38ec3c6eee1fb4efa83824fdd7e407495cdb9f6ad9b8e0c7d

      SHA512

      2fa67fd0e315ea45ea2e54afcf42ff3795b5a64326470f7bb285adb8e840ba68de02fb1d518bc34d94067b8ef7d5e2865718fff9a805193c2b6f128d546f6434

      Download Submit

    • C:\Users\Admin\elhost.exe
      Filesize

      48KB

      MD5

      82cd7f18c0c82c6c4228033a8dcaef8b

      SHA1

      66f78542b3ee762e4b189f658f37d01dbf0aff43

      SHA256

      18ec72076fb151ad97aeaa5e18d357aeb77c405dd867703e6709b9ede40cb237

      SHA512

      f9306ced3be80943b19c4fab575f1070bee46f9c049de988e9ec737ce6b320c66c82eec9a2cbed8f598514da2a21459bb7c25d514173afd566cd76d97a070142

      Download Submit

    • C:\Users\Admin\elhost.exe
      Filesize

      48KB

      MD5

      82cd7f18c0c82c6c4228033a8dcaef8b

      SHA1

      66f78542b3ee762e4b189f658f37d01dbf0aff43

      SHA256

      18ec72076fb151ad97aeaa5e18d357aeb77c405dd867703e6709b9ede40cb237

      SHA512

      f9306ced3be80943b19c4fab575f1070bee46f9c049de988e9ec737ce6b320c66c82eec9a2cbed8f598514da2a21459bb7c25d514173afd566cd76d97a070142

      Download Submit

    • C:\Users\Admin\jm9su7UE.exe
      Filesize

      212KB

      MD5

      e533f129e341c16a690960697fbb5c27

      SHA1

      c1c945168f49e1e312b77f518e1fcb5ab0a1c824

      SHA256

      2d0bcc8dce0a65ec302bfe3a49c143ba852d50286893657674c6c7fe73b70bff

      SHA512

      c5ce81ed27a8a4618b14560d97c1022b7a0156f8acdf883e9a8cdfc94c1edbbc76fed52fb5eba67af57dc3e5d269bfa480878da5d78108e9dc0392928d490ad6

      Download Submit

    • C:\Users\Admin\jm9su7UE.exe
      Filesize

      212KB

      MD5

      e533f129e341c16a690960697fbb5c27

      SHA1

      c1c945168f49e1e312b77f518e1fcb5ab0a1c824

      SHA256

      2d0bcc8dce0a65ec302bfe3a49c143ba852d50286893657674c6c7fe73b70bff

      SHA512

      c5ce81ed27a8a4618b14560d97c1022b7a0156f8acdf883e9a8cdfc94c1edbbc76fed52fb5eba67af57dc3e5d269bfa480878da5d78108e9dc0392928d490ad6

      Download Submit

    • C:\Users\Admin\xiufeo.exe
      Filesize

      212KB

      MD5

      66028644724a023cd0f1765507538e03

      SHA1

      df1fe712fc9ccff2e631273be53390a07b592ad1

      SHA256

      759867f1c1bc3bcc95ae27350e96ecca0154be75ae182d27ad569f0901759812

      SHA512

      9128ef1339c9e3a2880090417cb403b16f71c50f3fba10b9335189584a19a308cb7a0a19e4768d79e7a2bccb026eec913e4f88fd2a6f37e4197f1e7fcaf95826

      Download Submit

    • C:\Users\Admin\xiufeo.exe
      Filesize

      212KB

      MD5

      66028644724a023cd0f1765507538e03

      SHA1

      df1fe712fc9ccff2e631273be53390a07b592ad1

      SHA256

      759867f1c1bc3bcc95ae27350e96ecca0154be75ae182d27ad569f0901759812

      SHA512

      9128ef1339c9e3a2880090417cb403b16f71c50f3fba10b9335189584a19a308cb7a0a19e4768d79e7a2bccb026eec913e4f88fd2a6f37e4197f1e7fcaf95826

      Download Submit

    • memory/4132-145-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4132-156-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4132-148-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4132-149-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4664-162-0x0000000002830000-0x0000000002877000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4664-165-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4664-166-0x0000000002830000-0x0000000002877000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4664-163-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4664-161-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download