Overview

overview

8

Static

static

5

9fc97d7036...9a.exe

windows7-x64

8

9fc97d7036...9a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2022 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fc97d70363416a4f1d4dc6664e925350029973da8e4b01f849d0ebd4170419a.exe

  • Size

    10.8MB

  • MD5

    a7d7ffc4fd259a1ce33b40148031559f

  • SHA1

    dbb9ffc3511f0b84d2ad9ef6698d859b198d7f5b

  • SHA256

    9fc97d70363416a4f1d4dc6664e925350029973da8e4b01f849d0ebd4170419a

  • SHA512

    84134d3d8c6ea0bba8105c6daf3a5a322ac493ed133190141cc415fbc398ed5cf6a77189d29121deed067601534f02b698ab53a59a67aa96557d9d1c97d2fb78

  • SSDEEP

    196608:pIVc7gnXKldqdlxUfGfTY9MxhkoGIb/QrxVe0tx8dj7K5NPDX5PKVYVzWuwnV2:pI8gnXK3qNTY9MEoGgQ9VLVXDX5PiYRE

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 51 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fc97d70363416a4f1d4dc6664e925350029973da8e4b01f849d0ebd4170419a.exe
    "C:\Users\Admin\AppData\Local\Temp\9fc97d70363416a4f1d4dc6664e925350029973da8e4b01f849d0ebd4170419a.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • NTFS ADS
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\wlltweak.exe
      C:\Users\Admin\AppData\Local\Temp\wlltweak.exe -detected C:\Users\Admin\AppData\Local\Temp\runLOG.log
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1920
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c CMDtool.tmp SHOW =1 & 0:1
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Users\Admin\AppData\Local\Temp\CMDtool.tmp
        CMDtool.tmp SHOW =1
        3⤵
        • Executes dropped EXE
        PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CMDtool.tmp
    Filesize

    397KB

    MD5

    9a780d1b152df074cac11b04a54aea83

    SHA1

    0694abda0ca5d755326fb4c65d5c7a023947627a

    SHA256

    5aee8653aab0adb4106f32a6d753b39d17df9a96a2d391066248e4a4a1479b2d

    SHA512

    239c77772e1690bbabf99aa129d0183fd5bc5d5d343cfadf1099fe40ed207247c67aaaadc193b4154b718cdcfcd14258d33c8c5a1b1bfbdb6d99fbaa76e14079

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CMDtool.tmp
    Filesize

    397KB

    MD5

    9a780d1b152df074cac11b04a54aea83

    SHA1

    0694abda0ca5d755326fb4c65d5c7a023947627a

    SHA256

    5aee8653aab0adb4106f32a6d753b39d17df9a96a2d391066248e4a4a1479b2d

    SHA512

    239c77772e1690bbabf99aa129d0183fd5bc5d5d343cfadf1099fe40ed207247c67aaaadc193b4154b718cdcfcd14258d33c8c5a1b1bfbdb6d99fbaa76e14079

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlltweak.exe
    Filesize

    1.1MB

    MD5

    f010c7b0371649e6dac5834c4270950f

    SHA1

    669ac013c71f5f60500571fd10c2cea532714ad4

    SHA256

    ba37f8ee0a66066a29204c3bf48fe0141495d443fbcf559b3de0304d2267d970

    SHA512

    82e09dd24dc131876f91dabb026c372ccfbb62189e4a3384b8c478af545956df2b30e777a9908350a56dacf8b66a30290b05788b30cecb75ff0da1b8a1758c9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlltweak.exe
    Filesize

    1.1MB

    MD5

    f010c7b0371649e6dac5834c4270950f

    SHA1

    669ac013c71f5f60500571fd10c2cea532714ad4

    SHA256

    ba37f8ee0a66066a29204c3bf48fe0141495d443fbcf559b3de0304d2267d970

    SHA512

    82e09dd24dc131876f91dabb026c372ccfbb62189e4a3384b8c478af545956df2b30e777a9908350a56dacf8b66a30290b05788b30cecb75ff0da1b8a1758c9c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\CMDtool.tmp
    Filesize

    397KB

    MD5

    9a780d1b152df074cac11b04a54aea83

    SHA1

    0694abda0ca5d755326fb4c65d5c7a023947627a

    SHA256

    5aee8653aab0adb4106f32a6d753b39d17df9a96a2d391066248e4a4a1479b2d

    SHA512

    239c77772e1690bbabf99aa129d0183fd5bc5d5d343cfadf1099fe40ed207247c67aaaadc193b4154b718cdcfcd14258d33c8c5a1b1bfbdb6d99fbaa76e14079

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wlltweak.exe
    Filesize

    1.1MB

    MD5

    f010c7b0371649e6dac5834c4270950f

    SHA1

    669ac013c71f5f60500571fd10c2cea532714ad4

    SHA256

    ba37f8ee0a66066a29204c3bf48fe0141495d443fbcf559b3de0304d2267d970

    SHA512

    82e09dd24dc131876f91dabb026c372ccfbb62189e4a3384b8c478af545956df2b30e777a9908350a56dacf8b66a30290b05788b30cecb75ff0da1b8a1758c9c

    Download Submit

  • memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1920-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1952-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1952-67-0x0000000000420000-0x00000000004E0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2000-63-0x0000000000000000-mapping.dmp

    Download

  • memory/2000-66-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download