ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0

Analysis

max time kernel
129s
max time network
128s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
Size

1.5MB
MD5

3961f317490ceabb6ef54ff1fffab5c3
SHA1

cd82564dfef22d6bf459def76ff77a0b817a775d
SHA256

ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0
SHA512

80e7c9706eb60e208fc6823a81292d95eae162925fd4ce44b044dc120dd24b4a02d120f105daf9c961fafc0f9bdd6759cfe51482732c0feb2fa7f04bd94ab4ab
SSDEEP

49152:pJZoQrbTFZY1ia2iKpr+isBED02+z39Ry4prQ:ptrbTA1KpoL2+h9rQ

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-71-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/960-76-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/960-74-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/960-79-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/960-80-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1036-87-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-90-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-93-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-96-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-99-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-101-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1036-100-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/960-106-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 set thread context of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1716 set thread context of 1036	1716	vbc.exe	34

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pavk.bin	vbc.exe
File opened for modification	C:\Windows\ProcessHacker.exe	vbc.exe
File opened for modification	C:\Windows\kprocesshacker.sys	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
960	vbc.exe
960	vbc.exe
960	vbc.exe
960	vbc.exe
960	vbc.exe
960	vbc.exe
960	vbc.exe
1036	vbc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
960	vbc.exe
1716	vbc.exe
1036	vbc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1980	1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	27
PID 1672 wrote to memory of 1980	1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	27
PID 1672 wrote to memory of 1980	1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	27
PID 1672 wrote to memory of 1980	1672	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	27
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 1716	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	28
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 1980 wrote to memory of 960	1980	ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe	29
PID 960 wrote to memory of 1072	960	vbc.exe	31
PID 960 wrote to memory of 1072	960	vbc.exe	31
PID 960 wrote to memory of 1072	960	vbc.exe	31
PID 960 wrote to memory of 1072	960	vbc.exe	31
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 1716 wrote to memory of 1036	1716	vbc.exe	34
PID 960 wrote to memory of 968	960	vbc.exe	36
PID 960 wrote to memory of 968	960	vbc.exe	36
PID 960 wrote to memory of 968	960	vbc.exe	36
PID 960 wrote to memory of 968	960	vbc.exe	36
PID 960 wrote to memory of 2020	960	vbc.exe	37
PID 960 wrote to memory of 2020	960	vbc.exe	37
PID 960 wrote to memory of 2020	960	vbc.exe	37
PID 960 wrote to memory of 2020	960	vbc.exe	37
PID 960 wrote to memory of 1100	960	vbc.exe	40
PID 960 wrote to memory of 1100	960	vbc.exe	40
PID 960 wrote to memory of 1100	960	vbc.exe	40
PID 960 wrote to memory of 1100	960	vbc.exe	40

C:\Users\Admin\AppData\Local\Temp\ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
"C:\Users\Admin\AppData\Local\Temp\ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe
  "C:\Users\Admin\AppData\Local\Temp\ae44e3752912c3434150a33bece4f8283d8eb4b39ae5c8ca001ab8ad22bd9de0.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\OYTdreHle"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del /q /f %temp%\*.lnk
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn WindowsUpdateOcmBP0x8429524
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn WindowsUpdateOcmBP0x8429525 /tr "C:\ProgramData\OcmBPtKW\dWKtPBmcO.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start %temp%\OcmBPtKWd.exe
      4⤵
      PID:1100

C:\Windows\system32\taskeng.exe
taskeng.exe {B452AF78-D084-4D5D-BFC4-B6ED3F35F662} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OYTdreHle

Filesize
841KB

MD5
90dfd526e32e5434d208989eca24b242

SHA1
4965347d00017aed48a6e1eae1d5db1cb49dd17d

SHA256
3067b849c680a125ecdae039a8554d35b559a218164a7a6bc13d035c33dc404f

SHA512
cb28cbdc62060d26c6f1342058317c8db38f6c40d7b95e34e7c5f0c2e7dd718cfc89b11b6ecd88c1f2134189a51c1bba9edf5996b6cd306fcc7897b19fbf1029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo

Filesize
3KB

MD5
5fae023d0f4d9d94bcdbf6b5581a71ca

SHA1
b6569e50b87b53c912430e8fe1dc1eda4192053e

SHA256
1ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2

SHA512
97718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c

Download Submit
memory/960-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-106-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-74-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1036-99-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-103-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/1036-112-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/1036-111-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/1036-102-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/1036-100-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-101-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-96-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-93-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-90-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-86-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1036-87-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1716-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-63-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-97-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-59-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-75-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-82-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download