724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761

Analysis

max time kernel
42s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Size

255KB
MD5

a21866d9f30bc18a9e8e07d8fcf6daac
SHA1

c03c240fb20374c86f77075d2b0518ef81aefc06
SHA256

724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761
SHA512

483ead87684076d38238e518ed520341ffe7997f706843c0a6ff42356abf4ebfd122b3a23c34f38e41ccf2a8f810d0e5980f81b7f9e42e6de33606bfb8abe4cf
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI1

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	trynfojnyt.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4864-133-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x000300000000071d-136.dat	upx
behavioral2/files/0x0003000000000721-142.dat	upx
behavioral2/files/0x0003000000000723-145.dat	upx
behavioral2/files/0x0003000000000723-144.dat	upx
behavioral2/files/0x0003000000000721-141.dat	upx
behavioral2/memory/2576-146-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4008-148-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4220-149-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x0003000000000721-151.dat	upx
behavioral2/memory/4760-147-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x000300000000071f-139.dat	upx
behavioral2/files/0x000300000000071f-138.dat	upx
behavioral2/files/0x000300000000071d-135.dat	upx
behavioral2/memory/396-152-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4864-154-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x000300000000072d-157.dat	upx
behavioral2/files/0x000300000000072b-155.dat	upx
behavioral2/files/0x000300000000072d-156.dat	upx
behavioral2/memory/4760-167-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4220-169-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4008-168-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/2576-166-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/396-170-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\syfilthu.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File created	C:\Windows\SysWOW64\mipepzftgnypv.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File opened for modification	C:\Windows\SysWOW64\mipepzftgnypv.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File created	C:\Windows\SysWOW64\trynfojnyt.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File opened for modification	C:\Windows\SysWOW64\trynfojnyt.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File created	C:\Windows\SysWOW64\vnfhnlscetpojnz.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File opened for modification	C:\Windows\SysWOW64\vnfhnlscetpojnz.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
File created	C:\Windows\SysWOW64\syfilthu.exe	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7A9D2083516A4376A670552CA97C8765DD"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABAF96BF191837E3B3681983992B08A03F042680349E1C442EE09A0"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B058479339EB53B9B9D6329DD4B8"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8E4F5B856D9047D62D7D93BC90E1355932664E623ED6E9"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B7FF1B21ADD10FD1D58B7B916B"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67B1590DAB4B8C07F92ED9234BD"	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2576	4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe	89
PID 4864 wrote to memory of 2576	4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe	89
PID 4864 wrote to memory of 2576	4864	724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe	89

C:\Users\Admin\AppData\Local\Temp\724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe
"C:\Users\Admin\AppData\Local\Temp\724e4c9bdf2c76e3f86f7d6c36722d3417d5e4d4eee161a812e0211dfc179761.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\vnfhnlscetpojnz.exe
  vnfhnlscetpojnz.exe
  2⤵
  PID:4760
- C:\Windows\SysWOW64\syfilthu.exe
  syfilthu.exe
  2⤵
  PID:4008
- C:\Windows\SysWOW64\mipepzftgnypv.exe
  mipepzftgnypv.exe
  2⤵
  PID:4220
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4976
- C:\Windows\SysWOW64\trynfojnyt.exe
  trynfojnyt.exe
  2⤵
  - Executes dropped EXE
  PID:2576

C:\Windows\SysWOW64\syfilthu.exe
C:\Windows\system32\syfilthu.exe
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

Filesize
36KB

MD5
a78da072c4538bf3d0daab9320dc63f7

SHA1
a3c4924f2bc3bc37f0c65b67545ec5a9add8eb67

SHA256
29a2337c92621d59ccb5693f4b2df6d50a00495099bc2eafb11f7b7fb9e59e98

SHA512
74ee4e0877e81268be2ff6c70d65aa927b0522d94ce0e13fd380fef4bc49b44cfe468695f6e195bbc55abc01e8e623a365171aca9310b780240c86760f8158d2

Download Submit
C:\Windows\SysWOW64\mipepzftgnypv.exe

Filesize
20KB

MD5
d48e1bd7548cecd50cfff39ab439bd6c

SHA1
ac692a62ee26a96b9c5da87555461ff884b82c02

SHA256
6eb7dc279c8a3c4ccc7565dc16cc7c9fffa52c580246514aa991322a4382bae3

SHA512
080a361f1d81ac77857a06147a7981c3f4822dc1d92d714bc3b2043532b4e46198e7080ef44297aa5e564924aa45e4f37694e8ebbcdce6f177ec22db2a641c29

Download Submit
C:\Windows\SysWOW64\mipepzftgnypv.exe

Filesize
27KB

MD5
6703cceb0795350a06bf200b102f16cc

SHA1
bb487deaebaf09b0560cecb9e48e638e1e75f84b

SHA256
61027f35f4bccb5dac0d5e4feb89b83e7f04b06e745c0984046a08bb5de35c50

SHA512
c5f012ae838ef8e907b92649e0f195d756775d34911da92d0ca7126b0c4907ca8ba3919660b99533c92c4251951a811f136df5e532bbbd98da3078f21f032ce8

Download Submit
C:\Windows\SysWOW64\syfilthu.exe

Filesize
45KB

MD5
1abac1951f7909e54a0a6d9206d4a88a

SHA1
f365d3a81b490651b1ec738047580c67cde6e83c

SHA256
073794709d2acc899aebfa99392e502686d6a4df86079d705c2a21f7c9dc07d0

SHA512
493abbe3e2e209b48fcdbf5e118c3720fd23e8e9570e16b2206e001307ed85598a62b3f196e4ece519e7c6c9406f8b83724037905d3a2e798156453f9cfa0036

Download Submit
C:\Windows\SysWOW64\syfilthu.exe

Filesize
14KB

MD5
8e90f78a6d07d2fd60d578740f3c43e1

SHA1
d4845bd81cb4f55ce7d3f5606c933587961ee8f6

SHA256
e0fe443851909e35b3c5d9af3f3bf08334d786ba215f57fe923c35b87bdbaeaf

SHA512
0be269ff3878a797e1841b5acc1c8324f7d112866ea174e8cb7ef8e0eab6ea0e1de934b1c02e7c062e74d0fbc496b6573374d920924bc5c7ec4fb6a94046e3cb

Download Submit
C:\Windows\SysWOW64\syfilthu.exe

Filesize
32KB

MD5
9883524ac2b76701c76f232c9799fd8e

SHA1
ce1558b70274dcaab92702d2ca02d46e26ac1ba0

SHA256
18a640dd7204d2e1d0e3c97ecc8bf39fc891f1b14ca6fad71a06c69b0fa6896d

SHA512
65755c6ddb553918b59deef68376362a7760f6e5b892862cc316f989d66f3e047418a46daae6639b68981c751bb9026d73f835f782dbc5977eb9f9a7b7050e13

Download Submit
C:\Windows\SysWOW64\trynfojnyt.exe

Filesize
47KB

MD5
28c2ec0e8cb657f4614089fa384d070e

SHA1
7b5b27d386a42aaf9d8ab504c752d79d3a125e3d

SHA256
94b0e8f73b541a1f81998d48d5e341d3592e770156e399990a37dd4fa3120091

SHA512
f6c710404672787d92a53cd6a750fa7a792496926f4369f7072824baea67851cfae05605d6aed93ada4880cd62c25d004182dac74aa61be9a7c66f4ba2d74535

Download Submit
C:\Windows\SysWOW64\trynfojnyt.exe

Filesize
29KB

MD5
f482e80cad0541fc12a39ccf0c20e342

SHA1
0743c43de4e69fdce71f299ad63394374394c1c6

SHA256
a5a809ed910a0346b6eb15902706d08de6fc64d8f71b54d2529574c1d54d083f

SHA512
aeb1cb58af5df0711f186e38a36adf074fa2f440935f40c5701b1bc67b26fe7abe25295f705c0993f207e2ae23a24329141cfe10cc5f0935618ab5de7eb85e83

Download Submit
C:\Windows\SysWOW64\vnfhnlscetpojnz.exe

Filesize
11KB

MD5
34670c983213b7554f217370c01a24ea

SHA1
3c75a56ee31990cd21b9da43c3fca30067a377ff

SHA256
8afad56fb71af1fd6af604ce84d08bb590c5358d0a25af5e432e9b569a1306cc

SHA512
63ac10acf529c6e59d2ed9d528e323fc0a3a47c791d23d9af4cfca162ddb0fd7cd87ca1cfcc750ea12a677c26ee8c0103621f20d323949cb86d77946231316f1

Download Submit
C:\Windows\SysWOW64\vnfhnlscetpojnz.exe

Filesize
13KB

MD5
56248b797df3e40cbf545125a58bc92b

SHA1
2c4bdf3b262fc63577ecc5599b72851156f614b3

SHA256
c3a58fd30946a4707fe72bd1eb73b503f14462b6b0ef7f64c579776c80caa6a2

SHA512
b751db9f4ab8cce2c6839220b0350eed02c6d7602333c92a598af654dbea580692ffa23e4480d05b799491820341444bc6f40a5cbce06599a3d415c4c84f7e22

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
41KB

MD5
c5c891cfde2715e17187c009775be81d

SHA1
a601ee1391918f6bb9eb59bf5a2cbdd3b4387ee4

SHA256
8dfb8fbec7eeb47e1668f251f0db9b117534a773a7f2350cfcb975172361a813

SHA512
31c1b059153996329fb96be64bbedeb9f1b875768c869e9179dd98da1aa1719252970f3ca114a282d6f507747a4bb91a53bd5adce586884482cab449e4947358

Download Submit
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
21KB

MD5
fe4adb9e5310957aacac27f6907364ff

SHA1
67b59543a51021b7a17fe25d3557a1d018f04e11

SHA256
3cf3e5af6bbc907039480b421e069e0ba7e2f2fc038ca9a0c04156d52727dfbe

SHA512
678fbb0e3adc989437af35b42c1fde2a58633051daf385ef5f5f43e05cb4fec96f51b3a247e573406dad38595cd6067e7c069f3ffed6056486ce101582296fe6

Download Submit
memory/396-150-0x0000000000000000-mapping.dmp

Download
memory/396-152-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/396-170-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2576-146-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2576-166-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2576-134-0x0000000000000000-mapping.dmp

Download
memory/4008-148-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4008-140-0x0000000000000000-mapping.dmp

Download
memory/4008-168-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4220-143-0x0000000000000000-mapping.dmp

Download
memory/4220-169-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4220-149-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4760-147-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4760-137-0x0000000000000000-mapping.dmp

Download
memory/4760-167-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4864-133-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4864-154-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4976-159-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/4976-163-0x00007FFB99260000-0x00007FFB99270000-memory.dmp

Filesize
64KB

Download
memory/4976-164-0x00007FFB99260000-0x00007FFB99270000-memory.dmp

Filesize
64KB

Download
memory/4976-153-0x0000000000000000-mapping.dmp

Download
memory/4976-160-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/4976-162-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/4976-161-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download
memory/4976-158-0x00007FFB9B4D0000-0x00007FFB9B4E0000-memory.dmp

Filesize
64KB

Download