Overview

overview

10

Static

static

8

b847936013...48.exe

windows7-x64

10

b847936013...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b847936013481d6f6429c8f26f24b99feb17f335f5ac9eeb25a09318cb96ff48.exe

  • Size

    298KB

  • MD5

    91b8fd8a66fb9126763a232499c98d30

  • SHA1

    308e39a28c986f4247d78d162c14d021d2cb955d

  • SHA256

    b847936013481d6f6429c8f26f24b99feb17f335f5ac9eeb25a09318cb96ff48

  • SHA512

    7fece1448e8b87a7f14cdf6ab2ea0ae7aa250f84ed24cad0a2094184d37e3cda0943c3773bcae8ae16397af51004abb4c1c25cebeca6359500a8e61ea2a9166c

  • SSDEEP

    6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYa:v6Wq4aaE6KwyF5L0Y2D1PqLH

Score
10/10
evasionupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b847936013481d6f6429c8f26f24b99feb17f335f5ac9eeb25a09318cb96ff48.exe
    "C:\Users\Admin\AppData\Local\Temp\b847936013481d6f6429c8f26f24b99feb17f335f5ac9eeb25a09318cb96ff48.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\svhost.exe
      C:\Windows\svhost.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svhost.exe
    Filesize

    298KB

    MD5

    83205dd25ae0005a0eafbfed93dae801

    SHA1

    c0e1cfea2497303f0cc7532e4de679d7b48f68b0

    SHA256

    32e2598e080977d3a12cbea806247f71114a0fab3d9e62125980c64cd105790c

    SHA512

    23b2ad431025975fed7d4b46cf39bb0b96f812a3c6f8204cae33facd75c07fbd7e9e2509674eb4efe7a1b576f5a281f4ede3834b91f2a990732ed60db3f64316

    Download Submit

  • C:\Windows\svhost.exe
    Filesize

    298KB

    MD5

    83205dd25ae0005a0eafbfed93dae801

    SHA1

    c0e1cfea2497303f0cc7532e4de679d7b48f68b0

    SHA256

    32e2598e080977d3a12cbea806247f71114a0fab3d9e62125980c64cd105790c

    SHA512

    23b2ad431025975fed7d4b46cf39bb0b96f812a3c6f8204cae33facd75c07fbd7e9e2509674eb4efe7a1b576f5a281f4ede3834b91f2a990732ed60db3f64316

    Download Submit

  • memory/1380-132-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/1380-137-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/1732-136-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/1732-138-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download