25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
Size

1.1MB
MD5

816cc4d38afcf2792be067bb64637ed9
SHA1

9d87f8340eec6469c9bdc25a6cac29e6cb5add93
SHA256

25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391
SHA512

5bb37ec318842ab1705bf7c46b66aaed60e5443da1ab50ad48cf328cd7f45793598a8f964c7930bc64e4fbc8fa698a9fcc0018ad81637555da8fa0b0dd7b63e3
SSDEEP

24576:GV+yqaLs4zzaWWc5cxAN+ENr6XovJIYKC19:YZLjphccM4vJvjP

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2128	server.exe
2224	CHESTE~1.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000022dd2-133.dat	upx
behavioral2/files/0x0004000000022dd2-134.dat	upx
behavioral2/memory/2128-135-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/2128-136-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2128-136-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/files/0x0002000000022df2-138.dat	autoit_exe
behavioral2/files/0x0002000000022df2-139.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	2128	WerFault.exe	81

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	CHESTE~1.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE
2224	CHESTE~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2128	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	81
PID 4700 wrote to memory of 2128	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	81
PID 4700 wrote to memory of 2128	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	81
PID 4700 wrote to memory of 2224	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	86
PID 4700 wrote to memory of 2224	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	86
PID 4700 wrote to memory of 2224	4700	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	86

C:\Users\Admin\AppData\Local\Temp\25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
"C:\Users\Admin\AppData\Local\Temp\25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 564
    3⤵
    - Program crash
    PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 2128
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE

Filesize
716KB

MD5
03b135d5a82914328feeca9b557e1329

SHA1
126b97ed98e020a3ea9e2643d65cea10d10ccb6b

SHA256
926dec9667febd791cec5997e6ae0cced3b4f17645f256ebdd3195728e263a6d

SHA512
21afd99dfa8f7d8627140bef4fe44a5d8993f44956005d17bf54e8d29eb16c2bbb58bf7ed0ff814b502a8c6a1fcdda427efaada32ecd72351dbf7ec014d81849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE

Filesize
716KB

MD5
03b135d5a82914328feeca9b557e1329

SHA1
126b97ed98e020a3ea9e2643d65cea10d10ccb6b

SHA256
926dec9667febd791cec5997e6ae0cced3b4f17645f256ebdd3195728e263a6d

SHA512
21afd99dfa8f7d8627140bef4fe44a5d8993f44956005d17bf54e8d29eb16c2bbb58bf7ed0ff814b502a8c6a1fcdda427efaada32ecd72351dbf7ec014d81849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
memory/2128-135-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2128-136-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download