fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2

Analysis

max time kernel
37s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe
Size

518KB
MD5

59a1209fd5104cdf65e1b754cb37b6fe
SHA1

479d9d79431b30eaf21fb94bb17cad8b29bf2b25
SHA256

fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2
SHA512

31c6753527543ddd35001ab0df7bbe7d8fec858d3344040023479b939654c175947e81c2ad753a1ddc1af1a21cb0c87b316ce268f26933b07c24e0c7aa399c15
SSDEEP

12288:BIFs0zHpoflirqzRI6APGeCC58ZzRX/PEeVrpw8ggffFNY:Ss2oUoIFPGs58ZWeZpJrffU

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
792	server.exe
1252	server.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1664-59-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1664-84-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
792	server.exe
792	server.exe
1252	server.exe
1252	server.exe
1252	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 1664 wrote to memory of 792	1664	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	27
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28
PID 792 wrote to memory of 1252	792	server.exe	28

C:\Users\Admin\AppData\Local\Temp\fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe
"C:\Users\Admin\AppData\Local\Temp\fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\server.exe
  "C:\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1252

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Avira.jpg

Filesize
141KB

MD5
403ef43042fce5f7b020142edd81d55d

SHA1
de34d26987bb53257a2c45305ef7b048416d482d

SHA256
d8fe4fd40885492598238aa4d55e7aff55b8c08ed86f590e5bb093659eded625

SHA512
9ed40ac6e87b141ef7a7f5bb0a32a1d27dac8737db27fb59e5cdb71e1d7d8db72fe732593c4f688bc0c0fefc12a500122152e5bd0769a62061a21adf23010dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe-up.txt

Filesize
6KB

MD5
87debb81853583dd672afa9c29106bf4

SHA1
f000fc63c69286397058dff932534d7989bb270b

SHA256
80852449d2c87abb1df887ee40155edfd815b0013d5258cb9852cf7cdfe3a754

SHA512
986c4f76c729b7d7b8d11ffdc79619aaa2f5bda88cb478bf6220844bc447d2a652daf58dbaf8b4d7f830373377734b582a155c3732c1e745a94d8124a7c85703

Download Submit
C:\server.exe

Filesize
364KB

MD5
b723a6e300a5f0f86d488aeaab4b81e0

SHA1
8fccdaf0e16ce1baebf2466dd169463cd488070d

SHA256
0b21af1244263139d20f32796f0f3c41a97bea06afa906e2086732ef0a513c85

SHA512
3e2e6f504195cb5ae837e50433d1c8742d06206ac52febb105fc5fa4b04d7735efecae0da0ea259dea308adbaaaa3b66fc394a93ad3c323879a5d737329e43ad

Download Submit
C:\server.exe

Filesize
364KB

MD5
b723a6e300a5f0f86d488aeaab4b81e0

SHA1
8fccdaf0e16ce1baebf2466dd169463cd488070d

SHA256
0b21af1244263139d20f32796f0f3c41a97bea06afa906e2086732ef0a513c85

SHA512
3e2e6f504195cb5ae837e50433d1c8742d06206ac52febb105fc5fa4b04d7735efecae0da0ea259dea308adbaaaa3b66fc394a93ad3c323879a5d737329e43ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
memory/792-63-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/792-75-0x0000000000200000-0x0000000000239000-memory.dmp

Filesize
228KB

Download
memory/792-88-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/792-87-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/792-77-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/792-73-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/792-74-0x0000000000170000-0x00000000001CB000-memory.dmp

Filesize
364KB

Download
memory/792-76-0x0000000000A01000-0x0000000000A05000-memory.dmp

Filesize
16KB

Download
memory/1252-78-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1252-79-0x0000000001F61000-0x0000000001F65000-memory.dmp

Filesize
16KB

Download
memory/1252-81-0x0000000000391000-0x0000000000395000-memory.dmp

Filesize
16KB

Download
memory/1252-82-0x0000000001FC0000-0x00000000020C0000-memory.dmp

Filesize
1024KB

Download
memory/1252-80-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/1252-85-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/1664-60-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1664-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1664-61-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1664-62-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1664-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1664-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download