416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973

Analysis

max time kernel
20s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Size

255KB
MD5

482407e85f567121aa9e6d81c7abcc09
SHA1

46385a709458d357df62ef3b928769a449021873
SHA256

416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973
SHA512

45af19b8282273c398a76d24a475bf6e94285fd5fed42779fc0a72c97f4085c11c9a51fe9812592d498868eedda3b8fb4920ab840a842883d8a8ac6f89eb72cd
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJf:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1816	zthdenjhvp.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/files/0x000c0000000054a8-60.dat	upx
behavioral1/files/0x000b000000012326-61.dat	upx
behavioral1/files/0x000b000000012326-63.dat	upx
behavioral1/files/0x00080000000126a6-66.dat	upx
behavioral1/files/0x00080000000126a6-68.dat	upx
behavioral1/files/0x00070000000126c7-70.dat	upx
behavioral1/files/0x00070000000126c7-73.dat	upx
behavioral1/files/0x00080000000126a6-72.dat	upx
behavioral1/files/0x00070000000126c7-75.dat	upx
behavioral1/files/0x00070000000126c7-77.dat	upx
behavioral1/files/0x00070000000126c7-79.dat	upx
behavioral1/files/0x000b000000012326-65.dat	upx
behavioral1/memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1700-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/628-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1380-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1816-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00080000000126a6-90.dat	upx
behavioral1/files/0x00080000000126a6-88.dat	upx
behavioral1/memory/852-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1624-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bfjypnjmvnwkdmv.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File created	C:\Windows\SysWOW64\wbzfxdpt.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File opened for modification	C:\Windows\SysWOW64\wbzfxdpt.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File created	C:\Windows\SysWOW64\dvoysbztwtwjt.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File opened for modification	C:\Windows\SysWOW64\dvoysbztwtwjt.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File created	C:\Windows\SysWOW64\zthdenjhvp.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File opened for modification	C:\Windows\SysWOW64\zthdenjhvp.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
File created	C:\Windows\SysWOW64\bfjypnjmvnwkdmv.exe	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BC2FE6621D9D10CD0A18A7D9163"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C67F1493DBC4B9CE7FE1ECE537CC"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9C2183206A4276A570552CD67CF165D9"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAC9F967F29084093B3086EA39E3B38902FA42160332E1CA42ED09D3"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12844E4399D52BDBAD633EED4BB"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FCF8482F82189042D75A7EE6BC90E635584366406334D690"	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1816	1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe	28
PID 1624 wrote to memory of 1816	1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe	28
PID 1624 wrote to memory of 1816	1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe	28
PID 1624 wrote to memory of 1816	1624	416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe	28

C:\Users\Admin\AppData\Local\Temp\416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe
"C:\Users\Admin\AppData\Local\Temp\416287d38026e912e633a78fa3edb6accfa6c63cbe7cc3097e5b03428f376973.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\zthdenjhvp.exe
  zthdenjhvp.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- - C:\Windows\SysWOW64\wbzfxdpt.exe
    C:\Windows\system32\wbzfxdpt.exe
    3⤵
    PID:852
- C:\Windows\SysWOW64\dvoysbztwtwjt.exe
  dvoysbztwtwjt.exe
  2⤵
  PID:628
- C:\Windows\SysWOW64\wbzfxdpt.exe
  wbzfxdpt.exe
  2⤵
  PID:1640
- C:\Windows\SysWOW64\bfjypnjmvnwkdmv.exe
  bfjypnjmvnwkdmv.exe
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c dvoysbztwtwjt.exe
1⤵
PID:1784
- C:\Windows\SysWOW64\dvoysbztwtwjt.exe
  dvoysbztwtwjt.exe
  2⤵
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bfjypnjmvnwkdmv.exe

Filesize
26KB

MD5
d97d3eb5beab94a0c5ef28c22081af9e

SHA1
7858a24ebab49f42e567ee593397e83a1f75be9e

SHA256
0d5c6e8e8508b435fb30ed7159295401d03fc6dd8f56af7d58d6a9b34716f757

SHA512
65aa80236aaca22e0fd175c0f1213e13b40262c52a60137d014aa8bd185b5ccac572235dc68a4eaffb52e2a23fe648bc98cf22fab53c130ca7cd108393fae569

Download Submit
C:\Windows\SysWOW64\bfjypnjmvnwkdmv.exe

Filesize
32KB

MD5
3a6b4528eca330544c1fa91cef782b66

SHA1
05febd66b08448d64df256037eae469e72f8b9fe

SHA256
b1eb789e2eda4540992795d90119ec4ac9eccb67c6b2180e2f3fabe6ee1b0c58

SHA512
8540f3c1563a89d1bfce35fe2940e49e6875126caac1b71614aea5a1b020de783b6898daeaaec820079ba67abd8f30afc220b4cc6f7c3a0a96cc06e8fd3d3b2e

Download Submit
C:\Windows\SysWOW64\dvoysbztwtwjt.exe

Filesize
35KB

MD5
d4be8153dbaf8aa83753ecf499f79e83

SHA1
737a0677fbdee917d769d1df5adbd35a6d66e700

SHA256
c485f96c80766ec1106983666171e8679d61d4f444f06398325b6eb7c5066ebb

SHA512
408cf45ab8f28c1728f70fcc2c3945d5611c506b58468d5f61ec0b72effb6573bdab71bc6c31fe3b2c6f08f6b1c659b051c3f16f94fce066d3fd0584beb1b600

Download Submit
C:\Windows\SysWOW64\dvoysbztwtwjt.exe

Filesize
22KB

MD5
bf9dd67248a9617949ddf011e687c0f2

SHA1
cc70d5833f9beba588e13edfeaace504cfd3a5a8

SHA256
a2079c0c842aac6d8a314d54c82072a7725a4b4fa40022a5ab7366cf37bf6809

SHA512
9fc5bba9fc19d566d66fb7db471054a440bf3120104dbf933f4ee7fff301dc303c6452f3047cae7544ab3d1e69ba85c713a6757347428af495af6cbc0eb5665f

Download Submit
C:\Windows\SysWOW64\dvoysbztwtwjt.exe

Filesize
16KB

MD5
291f6b1466b5f6215686b22d37c5dd89

SHA1
e5eb44b9476050bd9c272ae668d6cd0bbaab29ef

SHA256
76e0e0aa73b2b5ae762d29f12ea755b76ac6f6904c7a51194b172ee049dd40c2

SHA512
795e9685f8c124e371679ffb1404fe4152028f07914a420008ccd132df8dafb0b8ef49a2059b57d679ee57eea64383ebb0d1f8e487297d4efc19a91f94f38932

Download Submit
C:\Windows\SysWOW64\wbzfxdpt.exe

Filesize
29KB

MD5
ebf76d28637966f58ef9b8fc9b5c7da6

SHA1
b667977d70047f929d2d3338b45151e3a113ac25

SHA256
89c46049a641f8c3c1776b66cdce026352e506011a79eb9606823a659c274242

SHA512
293ca2a63a81ec95ef0163ae4fb28a8b685a9d4168bf6d016a6bfff696133dc074f0d56997731ac8037c99345441736d3a0605eb19571fb50c462d7199691389

Download Submit
C:\Windows\SysWOW64\wbzfxdpt.exe

Filesize
37KB

MD5
50157c3c3a66ca37bac778822c6be18a

SHA1
002d7e71cbd20d2709bfc3c0e362c6840634329c

SHA256
f0689b5f3fdc1a321ad8578f5ad1213c01db11112c120443de2aa908dec7b747

SHA512
48f6f2d4ecccdba802f9cfac1602a239f5f50c026423ae589ef826df15ceec7e0271a820cb458da2c79dbdb43b9f7adc7f19f3b2c3c7abb320e61b67d31e9f9f

Download Submit
C:\Windows\SysWOW64\wbzfxdpt.exe

Filesize
22KB

MD5
7169da17a95574a00a59a40af51769cb

SHA1
0fc5b2be9d37aa47441a39d3a1c2a4f4a2a0125e

SHA256
a1e95b2bdaca565d14669b4044ed52540c2565bd256d4b802cfc65e575ee7c65

SHA512
14ecc2301a0228533a21a171a37d27408d55969f697efcb9ec8f87daf775464e72ae8469b6be3ccc1207dc89056831c6d0db4fa2d9d1b8a5810735f2bcab0138

Download Submit
C:\Windows\SysWOW64\zthdenjhvp.exe

Filesize
28KB

MD5
164d30011c9301f490ea433204b2d629

SHA1
c3f51597897530f239045a4c492759951f81cf00

SHA256
8453c51d9e489f972a5efdd6cfa81f8a791cc7d8ff177e0a897e4bccf9e2b01a

SHA512
5d12a0f4ca64d30fd7f4bcb07222b198b03a9415810ffd84e5e502c81b04cc155095ce3ef668b5b6b52f4ced1083843e3fae223ae76eefc13aa2caf34c9c09f3

Download Submit
C:\Windows\SysWOW64\zthdenjhvp.exe

Filesize
18KB

MD5
0862067d6d4df5bfa58d9b53dc6e64af

SHA1
8e49e852d1c941118db312ea1b148444cb27706e

SHA256
daaff8e8cafabf1b2b7d4ac6355a4cfe1210b6846056c02dd7c3be35fc1e5ed2

SHA512
4958398903578970b0a766b66cfcf4db8c0234a328bb727105315c4def785d267cfb5be5df7f91738a42550e3bb3250f8bb03d26878ac55b9e656097bfae4f3a

Download Submit
\Windows\SysWOW64\bfjypnjmvnwkdmv.exe

Filesize
29KB

MD5
547b925069a6a07f328f305166a9f20d

SHA1
b5dc62390b16bd1ab1852a88b516ba43305e633c

SHA256
db83faf48fbcf09a0297180937f190ed45a731d707d7d48386ed65d71ce0aacf

SHA512
8a9aabfb4264d67f51412e2e2a69970c5d26d696ffeca28c1041b3622da69f77f65368e23aa7bf49f2cf096c28e29121cca2e71bc2026ee97fd371b245d9e394

Download Submit
\Windows\SysWOW64\dvoysbztwtwjt.exe

Filesize
14KB

MD5
d71e9e4477a922bd431fee843d0bd8a9

SHA1
3b82171091a06f71220972d77a561a2fbda854b2

SHA256
598a2fc54b9bca7ee6a694f975dee49c87ff3fd753ade98eaddfadd189517148

SHA512
a9a76a6f25b7b50e938307801b5cfdac48ebeb7e37a05836398f73d81d986a4119a0fd22626cd6da6f4c262eff246178c1e2430af04477436ab8bbe9267f0167

Download Submit
\Windows\SysWOW64\dvoysbztwtwjt.exe

Filesize
29KB

MD5
37ffbd9ee30026e59ddd52087bd0c943

SHA1
ec24824c0908f4d7bc0f0bd50072aa164141b389

SHA256
ee1da8e5521d82ca91fe9ee61fabcd2ecf14cf1452b32dc5929fbf10b581f54e

SHA512
d79f256f15fd52163d79cf7351ce35fbb00012f5fc0846f7671bd297c0bb752593c9fe158dd1a608744a458ccfeaaf0a108e54e90d236b557e35b9a51c548d67

Download Submit
\Windows\SysWOW64\wbzfxdpt.exe

Filesize
20KB

MD5
473e918ba3e8ce16c2f532dd5afba7e5

SHA1
78993116b9e8a164ae51ccd3a6afa9c5c0f10e78

SHA256
03c54691cc476b97684608ec15dddb7e426d7e31ac1d18aebaf4b410cf2d29ff

SHA512
b5b8b4a3f1287fb2af5b0f190b8d0ffbcf81960d3e6f4d1bb6410425f673c429624b84beab4153dbd46d07e2a75a648e492db739944581b43497b6bafc244f4a

Download Submit
\Windows\SysWOW64\wbzfxdpt.exe

Filesize
34KB

MD5
53540f3601dfa80b1f4b13b2b60ec402

SHA1
59efac66a366dd3fe505cdc69cd0febb03724b4a

SHA256
070d870e854df1ba895c79f76310523f20725cf57d84ed6e5ba45d0559cca748

SHA512
9365756c6a36950241646d41ef43453832ef5d4a48693573162eb3f1754e5f8f940d33e20d61018b5135ddf65b69f653b44e93bdfd1b088273462166717ab273

Download Submit
\Windows\SysWOW64\zthdenjhvp.exe

Filesize
28KB

MD5
c7f202535edd84ae8b86b508adda790b

SHA1
883f330cbcea107d36c846c95a74310a20bb8abb

SHA256
11be65dfd4521f67b5e3c62136f86319cf414169b8ef42908002006b9c97f58b

SHA512
b62a4e68b86a36267c9485677d44e577d6ce11e8f668bdeb5501666665a45e26913576748090fcf605139369468aafe28791eeee188afaf8d8e993cf9d821032

Download Submit
memory/628-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/768-96-0x0000000072581000-0x0000000072584000-memory.dmp

Filesize
12KB

Download
memory/768-97-0x0000000070001000-0x0000000070003000-memory.dmp

Filesize
8KB

Download
memory/768-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/852-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1380-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1624-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1624-81-0x0000000002490000-0x0000000002530000-memory.dmp

Filesize
640KB

Download
memory/1624-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1624-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1700-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1784-86-0x0000000000410000-0x00000000004B0000-memory.dmp

Filesize
640KB

Download
memory/1816-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1816-92-0x0000000003440000-0x00000000034E0000-memory.dmp

Filesize
640KB

Download