801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5

Analysis

max time kernel
37s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
Size

375KB
MD5

a005c8ae3ef927fdafb0d22bec5abe80
SHA1

d6f1f2f7311535a077a55b1c334176e72ad63a56
SHA256

801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5
SHA512

8c13bff224458ed27e7426311a8451a7071fe187842d179d68c07c552a4c3824b1b344c549b1732a353f52f37e5c7a5510ea8573074a035d6ce4853c7bc64c42
SSDEEP

6144:I8U2qy6rRZb7jxGYV/AkMMyp+GWSSpYN1HLbRc2nPyPz7W5GnTA6D9YzZlVwd9un:+zy6rRxEWM2GgeN1HL1qPv0m7D9Ylg9o

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1176	111.exe
1124	345.exe
1596	223.exe
1728	uwdx.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122d6-55.dat	upx
behavioral1/files/0x000a0000000122d6-56.dat	upx
behavioral1/files/0x000a0000000122d6-58.dat	upx
behavioral1/memory/1176-62-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1176-63-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1248-79-0x0000000002F60000-0x0000000002FDB000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
1596	223.exe
1596	223.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uwdx.exe	223.exe
File created	C:\Windows\SysWOW64\ole2.vbs	223.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ime\system.exe	223.exe
File opened for modification	C:\Windows\ime\system.exe	223.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1176	111.exe
1176	111.exe
1124	345.exe
1728	uwdx.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1176	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	26
PID 1248 wrote to memory of 1176	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	26
PID 1248 wrote to memory of 1176	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	26
PID 1248 wrote to memory of 1176	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	26
PID 1248 wrote to memory of 1124	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	27
PID 1248 wrote to memory of 1124	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	27
PID 1248 wrote to memory of 1124	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	27
PID 1248 wrote to memory of 1124	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	27
PID 1248 wrote to memory of 1596	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	28
PID 1248 wrote to memory of 1596	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	28
PID 1248 wrote to memory of 1596	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	28
PID 1248 wrote to memory of 1596	1248	801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe	28
PID 1596 wrote to memory of 1728	1596	223.exe	29
PID 1596 wrote to memory of 1728	1596	223.exe	29
PID 1596 wrote to memory of 1728	1596	223.exe	29
PID 1596 wrote to memory of 1728	1596	223.exe	29

C:\Users\Admin\AppData\Local\Temp\801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe
"C:\Users\Admin\AppData\Local\Temp\801a121e1b181786d84b97ae89847dfcdb1dc3319a93a804a14445c5269b83e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\uwdx.exe
    C:\Windows\system32\uwdx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe

Filesize
115KB

MD5
aaef562d46db1b72d0ffb67df43b798d

SHA1
678caba3a830d32bc6486d68792e4551f63be7c1

SHA256
e0842c75b79178f519bfccd8fe34aae6db1eaaa4bb3834fb46fbf2935c0fba57

SHA512
c283a2542844066204af4d454f50de9ace37303979ccbb8732255e0569b649b7ce6c1762ff8d576f883d1032afa94a88dd6f8f3aa318d89522361c91fe3f241c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe

Filesize
181KB

MD5
23e6e5ae5040cc3299a5a4ebbe5c8a95

SHA1
8a598c9d024139b9f13ba70ea76da662ef60a440

SHA256
4156a7dc1fed247f003f38e82ac0baa0418fd7d340cc7d017e815f1a31b45898

SHA512
f643fb4f85d4e405b97ec92491bb2046584357ebd3b7972768eea354cfca6079a532b94cbed2cae615a4aed6cb210a9f8e048933bd9465d1237bccdcdfbd16d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe

Filesize
181KB

MD5
23e6e5ae5040cc3299a5a4ebbe5c8a95

SHA1
8a598c9d024139b9f13ba70ea76da662ef60a440

SHA256
4156a7dc1fed247f003f38e82ac0baa0418fd7d340cc7d017e815f1a31b45898

SHA512
f643fb4f85d4e405b97ec92491bb2046584357ebd3b7972768eea354cfca6079a532b94cbed2cae615a4aed6cb210a9f8e048933bd9465d1237bccdcdfbd16d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe

Filesize
17KB

MD5
7649b65b59a873a8e7caa21e5273e84f

SHA1
0df91213de49c779722a426211585cbd103cc797

SHA256
d052376eb1906edb2e38bd61dbd3033a07aab237da1203ebf3bd947bf87b6192

SHA512
20689ce3bf9105df7c784186a31fcf206716e0530ca379f6befb481ee7c264f00d30d1fa224eab07daf42d3c4385e6958239925ebcfc462f45706ca375e885f8

Download Submit
C:\Windows\SysWOW64\uwdx.exe

Filesize
18KB

MD5
57b39e7e3b29ef594449a1949241a451

SHA1
885aee7d5af106943dc4e35548a20d9282569063

SHA256
32f54a06fe3b10f6716edfa1ca7b95d3627e09a3cf6d6691b5122077aa839c22

SHA512
7f6d66ab21ab7e326ca35049052f314dbad3f048dd1f48258c552134d8f4a5b2e7e80fc662c98d8e24dd5ae501d36d10cc9bdf1eb166baa670b5b4b0a0df2165

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe

Filesize
115KB

MD5
aaef562d46db1b72d0ffb67df43b798d

SHA1
678caba3a830d32bc6486d68792e4551f63be7c1

SHA256
e0842c75b79178f519bfccd8fe34aae6db1eaaa4bb3834fb46fbf2935c0fba57

SHA512
c283a2542844066204af4d454f50de9ace37303979ccbb8732255e0569b649b7ce6c1762ff8d576f883d1032afa94a88dd6f8f3aa318d89522361c91fe3f241c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\111.exe

Filesize
115KB

MD5
aaef562d46db1b72d0ffb67df43b798d

SHA1
678caba3a830d32bc6486d68792e4551f63be7c1

SHA256
e0842c75b79178f519bfccd8fe34aae6db1eaaa4bb3834fb46fbf2935c0fba57

SHA512
c283a2542844066204af4d454f50de9ace37303979ccbb8732255e0569b649b7ce6c1762ff8d576f883d1032afa94a88dd6f8f3aa318d89522361c91fe3f241c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\223.exe

Filesize
181KB

MD5
23e6e5ae5040cc3299a5a4ebbe5c8a95

SHA1
8a598c9d024139b9f13ba70ea76da662ef60a440

SHA256
4156a7dc1fed247f003f38e82ac0baa0418fd7d340cc7d017e815f1a31b45898

SHA512
f643fb4f85d4e405b97ec92491bb2046584357ebd3b7972768eea354cfca6079a532b94cbed2cae615a4aed6cb210a9f8e048933bd9465d1237bccdcdfbd16d3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe

Filesize
17KB

MD5
7649b65b59a873a8e7caa21e5273e84f

SHA1
0df91213de49c779722a426211585cbd103cc797

SHA256
d052376eb1906edb2e38bd61dbd3033a07aab237da1203ebf3bd947bf87b6192

SHA512
20689ce3bf9105df7c784186a31fcf206716e0530ca379f6befb481ee7c264f00d30d1fa224eab07daf42d3c4385e6958239925ebcfc462f45706ca375e885f8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\345.exe

Filesize
17KB

MD5
7649b65b59a873a8e7caa21e5273e84f

SHA1
0df91213de49c779722a426211585cbd103cc797

SHA256
d052376eb1906edb2e38bd61dbd3033a07aab237da1203ebf3bd947bf87b6192

SHA512
20689ce3bf9105df7c784186a31fcf206716e0530ca379f6befb481ee7c264f00d30d1fa224eab07daf42d3c4385e6958239925ebcfc462f45706ca375e885f8

Download Submit
\Windows\SysWOW64\uwdx.exe

Filesize
18KB

MD5
57b39e7e3b29ef594449a1949241a451

SHA1
885aee7d5af106943dc4e35548a20d9282569063

SHA256
32f54a06fe3b10f6716edfa1ca7b95d3627e09a3cf6d6691b5122077aa839c22

SHA512
7f6d66ab21ab7e326ca35049052f314dbad3f048dd1f48258c552134d8f4a5b2e7e80fc662c98d8e24dd5ae501d36d10cc9bdf1eb166baa670b5b4b0a0df2165

Download Submit
\Windows\SysWOW64\uwdx.exe

Filesize
18KB

MD5
57b39e7e3b29ef594449a1949241a451

SHA1
885aee7d5af106943dc4e35548a20d9282569063

SHA256
32f54a06fe3b10f6716edfa1ca7b95d3627e09a3cf6d6691b5122077aa839c22

SHA512
7f6d66ab21ab7e326ca35049052f314dbad3f048dd1f48258c552134d8f4a5b2e7e80fc662c98d8e24dd5ae501d36d10cc9bdf1eb166baa670b5b4b0a0df2165

Download Submit
memory/1124-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1124-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1176-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1176-62-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1248-61-0x0000000002F50000-0x0000000002F95000-memory.dmp

Filesize
276KB

Download
memory/1248-94-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1248-79-0x0000000002F60000-0x0000000002FDB000-memory.dmp

Filesize
492KB

Download
memory/1248-93-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-68-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1248-60-0x0000000002F50000-0x0000000002F95000-memory.dmp

Filesize
276KB

Download
memory/1248-69-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1596-87-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/1596-88-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/1596-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1596-95-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/1596-96-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/1728-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1728-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download