Overview

overview

10

Static

static

8

2f31e30ec7...81.exe

windows7-x64

10

2f31e30ec7...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f31e30ec7f58fb2f99bfa2611e93e9a0e57cae5a86d29875fcb2005fe812a81.exe

  • Size

    721KB

  • MD5

    9086d06423c8e3abed4d63ca92221f72

  • SHA1

    a852d2fd58450932e440d973dec3823a1a9f13e7

  • SHA256

    2f31e30ec7f58fb2f99bfa2611e93e9a0e57cae5a86d29875fcb2005fe812a81

  • SHA512

    ca7a8c4bffa46622d2b236eb613e12da16a5744ee2c3b8dcd55f0a971d5fbb9f58075cde7ef1137c64eb9a231ac7179705af2a3dd27b83acc6628cbd16f3c2d3

  • SSDEEP

    12288:QUp3EQ6T6jpV3KVMeHf2Jl84yfFr+3p8rkKQr6MCNVkgQpNaQ4ppFJN9IJaXSP:QKTV0TfkOYK1NkgQ3+mJaCP

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f31e30ec7f58fb2f99bfa2611e93e9a0e57cae5a86d29875fcb2005fe812a81.exe
    "C:\Users\Admin\AppData\Local\Temp\2f31e30ec7f58fb2f99bfa2611e93e9a0e57cae5a86d29875fcb2005fe812a81.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsuxZ.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java(TM) Platform SE Auto Updator 2.1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1760
    • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
      "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4948
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1292
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1188
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:716
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Falaheye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Falaheye.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Falaheye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Falaheye.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4712
      • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XsuxZ.bat
    Filesize

    173B

    MD5

    0f9512ff58185a551abc4fa80ffde3b5

    SHA1

    eb2df1adbb3504236d2857d8a9c297121c97a95d

    SHA256

    79747cbd0b884c6870d0ab8b90e4b64af598f1c1c97b2eb31c1fc1a1d6128189

    SHA512

    1f7216ce7cd2e1ae6e30c7d6d0f84b3a7a637c6cfe9568a10ffa802b99a832b3e4f45c7bd02cbbe70665e79ea917e7e9ac9a38ceaf469836fb207a47ef52ff3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    e817a08775a7ef23c9ed98b590768164

    SHA1

    e8574a687f4490e4abd5c5a09280787fa91ab530

    SHA256

    24dec17667daf74e8d61c03c4fe7879904231c48be38570869d7a5010d088f6c

    SHA512

    c1dca1ba9f214ccaccb661cc9832fd90027233492c0e20c1ebc4ac6a5e813ff63e47b0c87f902eca7ecdbeb2bf322e2595c01d619c9b5f7d72cd77cb7681c62b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    e817a08775a7ef23c9ed98b590768164

    SHA1

    e8574a687f4490e4abd5c5a09280787fa91ab530

    SHA256

    24dec17667daf74e8d61c03c4fe7879904231c48be38570869d7a5010d088f6c

    SHA512

    c1dca1ba9f214ccaccb661cc9832fd90027233492c0e20c1ebc4ac6a5e813ff63e47b0c87f902eca7ecdbeb2bf322e2595c01d619c9b5f7d72cd77cb7681c62b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    e817a08775a7ef23c9ed98b590768164

    SHA1

    e8574a687f4490e4abd5c5a09280787fa91ab530

    SHA256

    24dec17667daf74e8d61c03c4fe7879904231c48be38570869d7a5010d088f6c

    SHA512

    c1dca1ba9f214ccaccb661cc9832fd90027233492c0e20c1ebc4ac6a5e813ff63e47b0c87f902eca7ecdbeb2bf322e2595c01d619c9b5f7d72cd77cb7681c62b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    e817a08775a7ef23c9ed98b590768164

    SHA1

    e8574a687f4490e4abd5c5a09280787fa91ab530

    SHA256

    24dec17667daf74e8d61c03c4fe7879904231c48be38570869d7a5010d088f6c

    SHA512

    c1dca1ba9f214ccaccb661cc9832fd90027233492c0e20c1ebc4ac6a5e813ff63e47b0c87f902eca7ecdbeb2bf322e2595c01d619c9b5f7d72cd77cb7681c62b

    Download Submit

  • memory/368-135-0x0000000000000000-mapping.dmp

    Download

  • memory/716-171-0x0000000000000000-mapping.dmp

    Download

  • memory/920-150-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/920-145-0x0000000000000000-mapping.dmp

    Download

  • memory/920-146-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/920-149-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/920-173-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/920-164-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1028-166-0x0000000000000000-mapping.dmp

    Download

  • memory/1188-172-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-167-0x0000000000000000-mapping.dmp

    Download

  • memory/1424-144-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1424-138-0x0000000000000000-mapping.dmp

    Download

  • memory/1424-159-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1760-137-0x0000000000000000-mapping.dmp

    Download

  • memory/2168-151-0x0000000000000000-mapping.dmp

    Download

  • memory/2168-165-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2168-158-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2168-156-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2168-152-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4184-168-0x0000000000000000-mapping.dmp

    Download

  • memory/4712-170-0x0000000000000000-mapping.dmp

    Download

  • memory/4948-163-0x0000000000000000-mapping.dmp

    Download

  • memory/5036-132-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/5036-142-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/5104-169-0x0000000000000000-mapping.dmp

    Download