4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8

Analysis

max time kernel
38s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Size

255KB
MD5

3e6e1196c1fe0673778bd195196cb877
SHA1

9092113d8a7bffe2a8a62454bcf96999f6b8ca59
SHA256

4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8
SHA512

7d3b0fbdbd49607bc735f572afcfe9d852c04eb9484fdedf496635b20d02d298f9b2dd0ee3e53e76d8c0f5f94026cbe525f6c4764b6662ad1ccdf93e7bc1826c
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ2:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIr

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1584	klwcbxvrsq.exe
960	ywnyjzwxvycgblt.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x000a000000012300-61.dat	upx
behavioral1/files/0x000800000001230c-65.dat	upx
behavioral1/files/0x0008000000012310-71.dat	upx
behavioral1/files/0x0008000000012310-78.dat	upx
behavioral1/files/0x0008000000012310-76.dat	upx
behavioral1/files/0x000800000001230c-82.dat	upx
behavioral1/files/0x000800000001230c-80.dat	upx
behavioral1/files/0x0008000000012310-74.dat	upx
behavioral1/files/0x000800000001230c-72.dat	upx
behavioral1/files/0x0008000000012310-69.dat	upx
behavioral1/files/0x000800000001230c-67.dat	upx
behavioral1/memory/1220-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1584-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/940-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/388-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/832-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1368-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/960-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000a000000012300-64.dat	upx
behavioral1/files/0x00140000000054ab-63.dat	upx
behavioral1/files/0x000a000000012300-58.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/memory/1220-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\samidmnh.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File opened for modification	C:\Windows\SysWOW64\samidmnh.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File created	C:\Windows\SysWOW64\ssqahutxgsvov.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File opened for modification	C:\Windows\SysWOW64\ssqahutxgsvov.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File created	C:\Windows\SysWOW64\klwcbxvrsq.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File opened for modification	C:\Windows\SysWOW64\klwcbxvrsq.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File created	C:\Windows\SysWOW64\ywnyjzwxvycgblt.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
File opened for modification	C:\Windows\SysWOW64\ywnyjzwxvycgblt.exe	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC70F14E2DAB7B8CC7FE3EDE437CB"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0F9D5583256A3E77A777202DDC7CF665D8"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CAF963F290837A3A4B819C3E99B38903FD4312033EE1CC42EC09D5"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12B47E339EB53CABAA6329BD7CE"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFF4F5885699130D65B7E91BCE5E135584466416331D6E9"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B4FF1F22DED209D1D68A0C9060"	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1584	klwcbxvrsq.exe
1584	klwcbxvrsq.exe
1584	klwcbxvrsq.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
1584	klwcbxvrsq.exe
1584	klwcbxvrsq.exe
1584	klwcbxvrsq.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1584	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	31
PID 1220 wrote to memory of 1584	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	31
PID 1220 wrote to memory of 1584	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	31
PID 1220 wrote to memory of 1584	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	31
PID 1220 wrote to memory of 960	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	30
PID 1220 wrote to memory of 960	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	30
PID 1220 wrote to memory of 960	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	30
PID 1220 wrote to memory of 960	1220	4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe	30

C:\Users\Admin\AppData\Local\Temp\4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe
"C:\Users\Admin\AppData\Local\Temp\4b4bcb3f8d18cf83957c37678ad23b03dadcce0a53cb73b258da7b541de089a8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\ssqahutxgsvov.exe
  ssqahutxgsvov.exe
  2⤵
  PID:940
- C:\Windows\SysWOW64\samidmnh.exe
  samidmnh.exe
  2⤵
  PID:1368
- C:\Windows\SysWOW64\ywnyjzwxvycgblt.exe
  ywnyjzwxvycgblt.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\SysWOW64\klwcbxvrsq.exe
  klwcbxvrsq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1584
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:672

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ssqahutxgsvov.exe
1⤵
PID:1304
- C:\Windows\SysWOW64\ssqahutxgsvov.exe
  ssqahutxgsvov.exe
  2⤵
  PID:832

C:\Windows\SysWOW64\samidmnh.exe
C:\Windows\system32\samidmnh.exe
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\klwcbxvrsq.exe

Filesize
30KB

MD5
7b879cddfb2003318a51686515843e78

SHA1
b653912cd11a3a20cbc6511afb577a3e6bc064c6

SHA256
5e99f1dfebd76eab5c9d6cca80276373f08b70f3972dea857a34400e1823655e

SHA512
65e91b9f99a737b187e3bfec6b8fdbda8f309be56c4c5844d17844864d395dd19410ceef11ce060904eb100d9160b9bda083ea6773b74f114b7e9077abe47830

Download Submit
C:\Windows\SysWOW64\klwcbxvrsq.exe

Filesize
11KB

MD5
a850f0efe0ac4efb4bf3957329fa4b87

SHA1
b05f847fbaf50f2d5d02e2787bd43318f0d21a7f

SHA256
6c83d7a5c2c27282689c93694f8ce120be7ed339c61448025cdea4c9f7f1c29c

SHA512
507f558dee6996bbaa75bc47a992ee6f174c13dfbd3c5009c1ac0ab3a0510925601328d0eebd0be649e301759f8ebdd7a18d938d00c5dc7ba481d6e8dd9b59d9

Download Submit
C:\Windows\SysWOW64\samidmnh.exe

Filesize
29KB

MD5
95f608e85413ec511acd148887e83113

SHA1
55ca7ec69155a8de9392dd84634cdb18a346b22f

SHA256
8efbea8e1de77fd0acfe3ab07a26c53140caf8aff4ff64f2413bf5fbe3a1860a

SHA512
2a60a67fe1a89688915236131f9b866ea6b7a6d917faef5aaf14312b5ce6637a6af125ad716b155a7e10731c01fb91a77c9bee9972cf491308d424137af6afcb

Download Submit
C:\Windows\SysWOW64\samidmnh.exe

Filesize
21KB

MD5
857a1e43f051b662a84d6e8cad4826fb

SHA1
551029643d88a9b26b4e8f77df9f53b8063b0224

SHA256
ef2b96578ea59d1e92e30ba2b0fc55937404191be24ca1d37d73573daeeb6abd

SHA512
62f25faa8fe909373426a40af79d7f902952a284e5aa8b10b2bffce083e797bc377f95826e623d869693843a33b1d9d0c2b84c6332a700fa91ac18d2dddd7d31

Download Submit
C:\Windows\SysWOW64\samidmnh.exe

Filesize
13KB

MD5
1cfbcb9e60532c143f83262448ee496a

SHA1
2e4ff0ef1e55d7a6f4784ca0c855e6657c776aa0

SHA256
53dafcf1cbdb5c6f4d74d939f2d7f766288e455c4a983db82b9c04d543c18e3d

SHA512
5822b89ce985b8880ab9902f0ba4b1fa440c19d4f720a237c0fb7749afe6640877825d502cf3e81a1e81590e9b4934b8efe1cc2200090830a27e4ec1141c22b8

Download Submit
C:\Windows\SysWOW64\ssqahutxgsvov.exe

Filesize
38KB

MD5
3cec7696fe74693f81afb8a548c54a93

SHA1
6b82ed9b01ac13ddaa0ab244077f472bdcdf9851

SHA256
65d9f9d1dc309b14e57cbe4f0eaa76b7c12723de922bba9cc927d43c17a65bcb

SHA512
b1728101b80a3b070c430b72080361d3bf6270ae9612c296d2787dd2b8bc6951d7ec6177f222c8f13b3160536d0661d90a5abda4c98189e1cedd2ace579a60d2

Download Submit
C:\Windows\SysWOW64\ssqahutxgsvov.exe

Filesize
42KB

MD5
cede165f80e8fac9ed2f3160c26f5d46

SHA1
84ef617bb0d3a16f34666e562b9b611317901356

SHA256
98f02d0d327048de14fc9a0e91bf2c49a3ab48105ae89e69c20bcb1ef8e806ca

SHA512
581fd1cee31db4aa07466791191ad6b89820d92374e76749868b8ed460217a236104f2c3ccddc5e52306e14a6804d2d7ef7ef41b48645ec2f596f7d20a336a42

Download Submit
C:\Windows\SysWOW64\ssqahutxgsvov.exe

Filesize
38KB

MD5
e2eacecff154e015e580ce189773de66

SHA1
23ea4ab3de8fad8599a22b96572dba8dfd00c521

SHA256
1a0feb9abecd485ebba6cbfef0a421ea951bf49861efefcc9eb394d585562cc7

SHA512
5bb9cdd0719f438f2f0805ea5c7e97476fcb956caa507711cdf0173c6acada0ab039c3f92551dfb8464590db43b0beb886b9617a4436e7311015ceec541a97f8

Download Submit
C:\Windows\SysWOW64\ywnyjzwxvycgblt.exe

Filesize
31KB

MD5
019ee6917b881915a441a2ef58947b4b

SHA1
5199283185edf95e1a3cacfcd1359d271975e068

SHA256
ceeb46fee679ff893ae3caba191a7538df712e59bbf3a1299390f7f74e1de83a

SHA512
ecfe2101945cedd0b3ebbf56c1597d46e1495c7e9907098cf89f6be43789e46d2b99a364197c0fe6d3ace73c0882eefcb0e836c5b500d736e6f92e6ae6f4cd06

Download Submit
C:\Windows\SysWOW64\ywnyjzwxvycgblt.exe

Filesize
20KB

MD5
89153b362e1e7b586292cd09c02c6177

SHA1
0aae56ccd462aa7ae124758aaa87eb52e760f7ef

SHA256
5cb5eeac6ec4838a1611bcd212f97cdc03a83c6238bbf3600b23eef68264e9e6

SHA512
1e2a42981d8b700db1460ab10bedf0745557d12613f0aa883def5407e3da2da472708377a0ad171bae2afd38fc569bfa9bd9487d2ff8cd03fa0858ec5a47cc31

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\klwcbxvrsq.exe

Filesize
39KB

MD5
0721e7037fa4eef2be5487c4dcef5c83

SHA1
72d68f24c3f037fcfe883470f3797b541afc90da

SHA256
9904088c2e58b2cb17f043f4ff5efcb296e437c87d754f134e0d57828cb4374d

SHA512
145f99d03283416b8e23c9a6d6031e86cbca251c2c3e244dba608c7cbcf7300a3b788a3ed13b23f86ae4721e7255d44423cdade89a76557130b4852477746fd7

Download Submit
\Windows\SysWOW64\samidmnh.exe

Filesize
27KB

MD5
1073036999fd4aacfda9081e3c5fc64f

SHA1
d6679623017239b6ac67dbcff68b4db39f7ba636

SHA256
07ec4cfa5e65a65b855b26523e53c933d686ceb881a6e1a593309b2d32bd6cc9

SHA512
73c08754c80a7a1bb1edc5259e54d2d5f813d9750e50725b81c28ff646d8ba4e83d54b03ee312331cb27267e28174944511d53b8d3c0ba6ac4c37d392eab7acd

Download Submit
\Windows\SysWOW64\samidmnh.exe

Filesize
39KB

MD5
d0969b9212f0b41b607486a9a7bb2fe3

SHA1
1cbc3df94baff99757bf6bd9dbe70ec4b798ebdd

SHA256
8603c555b4a85f8efab818bc666146d415df73d126548863c7f85d0636e27f1f

SHA512
88bb3cb2775492398c750092383cac9afd2919655bc73e432cba4d23beed555a4632464736fa90aeb6c976da82ff1f6bf7909645b60e3997443e7ac759a6ac5f

Download Submit
\Windows\SysWOW64\ssqahutxgsvov.exe

Filesize
26KB

MD5
e33245ca9552004492a5d1b39135fc12

SHA1
5bcfaa42872264cc10003b77953785981050d223

SHA256
a7aafca6d56423572b475b2711307791e9d3eeac61c7c49a083a189a5c0d66b5

SHA512
85c85dc00dc4916462bc4eb5563acf025e02c131a601df72b0f9046acced48590b8955e360fba2d01b79dddf37cc13e9395a348f7b2a30a91fde260afa2f7f82

Download Submit
\Windows\SysWOW64\ssqahutxgsvov.exe

Filesize
22KB

MD5
8ecf4efbd9def989859809bfd5d49d8f

SHA1
67fc3e4368290a60de274f79c4c892a14ff89e84

SHA256
ed676a851fb24f8779b93b61731654ed0edd58b8d02a85e7ea2ffc70d5d178f5

SHA512
9bf4806ef2b128663c443dca5b577f3e8b44dcc4997b3691ac84de43b4180eae01ef19fd6971aeb3f260f14f654fd9381b7cfd9a0ff80830e450673e915afa48

Download Submit
\Windows\SysWOW64\ywnyjzwxvycgblt.exe

Filesize
25KB

MD5
1828d7f81cde44462de52c129ad7404b

SHA1
2474603616062a405c9f05618d3343c47c0adb22

SHA256
2642dab3a24da734a9d051ae14df3443b5adbbda9a94411d5c6eaef25c3880cb

SHA512
24ea476d00b69d6e22af5a33513e713701b9c3f1a86e5c0fca1948c1dc447c63011850bbf25920ed91ebdbcbe9e9fe5aa0ddfdc38ff53f8a53657898ecf8e79d

Download Submit
memory/388-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/672-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/672-96-0x000000006FEC1000-0x000000006FEC3000-memory.dmp

Filesize
8KB

Download
memory/672-95-0x0000000072441000-0x0000000072444000-memory.dmp

Filesize
12KB

Download
memory/672-100-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

Filesize
44KB

Download
memory/832-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/940-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/960-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1220-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1220-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1220-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1220-85-0x0000000002370000-0x0000000002410000-memory.dmp

Filesize
640KB

Download
memory/1304-90-0x00000000002F0000-0x0000000000390000-memory.dmp

Filesize
640KB

Download
memory/1368-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1584-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download