766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965

Analysis

max time kernel
92s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
Size

400KB
MD5

a19d9fb62c7955caa9d284e66a6f07f0
SHA1

b28a0e62325500a2a438eeb23159c3995e7be479
SHA256

766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965
SHA512

59ce44fb0e0c167cd7df6618ab7cf81661c911bed91896600de588e237dea7939a1337cd5e1ae29ebe6286825a0b03d041a4dbc2a129a48959e4df642632f369
SSDEEP

12288:j6Wq4aaE6KwyF5L0Y2D1PqLEr7xznGa3c2y:JthEVaPqLAzTs2y

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2160	commander.exe
4528	commander.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5052-132-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\commander.exe	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
File opened for modification	C:\Windows\svhost.exe	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2160	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	81
PID 5052 wrote to memory of 2160	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	81
PID 5052 wrote to memory of 2160	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	81
PID 2160 wrote to memory of 4612	2160	commander.exe	83
PID 2160 wrote to memory of 4612	2160	commander.exe	83
PID 2160 wrote to memory of 4612	2160	commander.exe	83
PID 5052 wrote to memory of 4528	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	84
PID 5052 wrote to memory of 4528	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	84
PID 5052 wrote to memory of 4528	5052	766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe	84
PID 4528 wrote to memory of 1076	4528	commander.exe	86
PID 4528 wrote to memory of 1076	4528	commander.exe	86
PID 4528 wrote to memory of 1076	4528	commander.exe	86

C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
"C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:4612
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
690ccf3a840cedf07454610f27a140e5

SHA1
2d31b46d695bcf4e7192fbc385347daeaf883639

SHA256
60ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a

SHA512
d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
690ccf3a840cedf07454610f27a140e5

SHA1
2d31b46d695bcf4e7192fbc385347daeaf883639

SHA256
60ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a

SHA512
d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158

Download Submit
memory/5052-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download