5cadd37d88c2a2c1f6118c40e24e14cabdc485b9eddb1e920fae93b3b605c498

Analysis

max time kernel
38s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cadd37d88c2a2c1f6118c40e24e14cabdc485b9eddb1e920fae93b3b605c498.exe
Size

255KB
MD5

ba4b81faa04c7fe76722efdb38cfec16
SHA1

a9e8fd8083539010a82f9971c220fd3bd22dceed
SHA256

5cadd37d88c2a2c1f6118c40e24e14cabdc485b9eddb1e920fae93b3b605c498
SHA512

ab4ca49658483cf6e42c28f992441d37d5007de62eca408aae96a50d49d29ac5f58a3478b6049c98ef651c4c35c6c7c19d956dcda69d42dfc6b9167616183a63
SSDEEP

6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6g:Plf5j6zCNa0xeE3m5

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000b00000001232e-60.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/files/0x00070000000126f1-72.dat	upx
behavioral1/files/0x00080000000126c7-75.dat	upx
behavioral1/files/0x00070000000126f1-74.dat	upx
behavioral1/files/0x00070000000126f1-80.dat	upx
behavioral1/files/0x00080000000126c7-84.dat	upx
behavioral1/files/0x00080000000126c7-82.dat	upx
behavioral1/files/0x00070000000126f1-78.dat	upx
behavioral1/memory/1892-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/848-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1808-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1684-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1888-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1120-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000126f1-69.dat	upx
behavioral1/memory/1712-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00080000000126c7-68.dat	upx
behavioral1/files/0x000b00000001232e-66.dat	upx
behavioral1/files/0x00080000000126c7-65.dat	upx
behavioral1/files/0x000b00000001232e-63.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\5cadd37d88c2a2c1f6118c40e24e14cabdc485b9eddb1e920fae93b3b605c498.exe
"C:\Users\Admin\AppData\Local\Temp\5cadd37d88c2a2c1f6118c40e24e14cabdc485b9eddb1e920fae93b3b605c498.exe"
1⤵
PID:1712
- C:\Windows\SysWOW64\ofewqcnt.exe
  ofewqcnt.exe
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:1136
- C:\Windows\SysWOW64\zlnfdgynxkduc.exe
  zlnfdgynxkduc.exe
  2⤵
  PID:1684
- C:\Windows\SysWOW64\xhkckquwqliicks.exe
  xhkckquwqliicks.exe
  2⤵
  PID:1892
- C:\Windows\SysWOW64\bbojsyhoab.exe
  bbojsyhoab.exe
  2⤵
  PID:1120

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1832

C:\Windows\SysWOW64\zlnfdgynxkduc.exe
zlnfdgynxkduc.exe
1⤵
PID:1808

C:\Windows\SysWOW64\ofewqcnt.exe
C:\Windows\system32\ofewqcnt.exe
1⤵
PID:848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c zlnfdgynxkduc.exe
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bbojsyhoab.exe

Filesize
73KB

MD5
937503be64beb992bc42bc131fa6e73d

SHA1
4bc10eb31768644bf82e41dc242d2c8675defb85

SHA256
e6b57ff51c73b61c887ed4dac5535b8778a9c7192740037185f5002792b87a94

SHA512
dee26f645ca2f545eabc974df2785b12b491e0f9ab6bb4b8a2a8ae2a38b0995a20c881ce5e58f5bd3f9adb6a58adaf9ee04233d991a223a51e335abd2a0c4439

Download Submit
C:\Windows\SysWOW64\bbojsyhoab.exe

Filesize
27KB

MD5
745cf189bd152eb58dc365581633cc3f

SHA1
3d602c81ae8262f44961d5cb9b9f9ee77fe0f2f8

SHA256
b6c082f10f36395ee98a360d051272b8152ec64d081c7d2d8e610072599c06c0

SHA512
90f52c29e3c75a722d57f121e183acf9e993cbded63355f9c7181e106ebd5497b7b6d139a8daa552392784a4df899fc5a4abbf9f79db252fae4cde7a7960c65e

Download Submit
C:\Windows\SysWOW64\ofewqcnt.exe

Filesize
37KB

MD5
a29e087feb060c23e13ace1bb58177ff

SHA1
260c7890fee417c6ac370bc3ab704632bb8df817

SHA256
5c29a140d6e8da6fb3de1be72725f1fe2fab8f73d2eeab2e03b94fba2d7232a2

SHA512
a8c7e839e8651b62fd5e9cb9082cb8c2158d3ff72f5850be1520ffd0ebe085d7bbb23871a20b31860510db6fb7aba96cb7e328346882461efc14b96011f0de4a

Download Submit
C:\Windows\SysWOW64\ofewqcnt.exe

Filesize
34KB

MD5
b5d8b5bb033c5f89eb8406c0f92ce896

SHA1
c144203738c71b41ea98246b387bef45e642f02e

SHA256
ac998728261329b7dc3f5592c08cda131dfc8ff86ccf10853d806d6ffe281cf1

SHA512
1c0983a7756d270eea20bc75fb10c76b28c7fb777607fcff2b083b226d22bc63e33618fbcf5c1a63a824f4ba4274948bd6a9a3f83de2f683a50011f4a8ce03e1

Download Submit
C:\Windows\SysWOW64\ofewqcnt.exe

Filesize
67KB

MD5
80346d4a7e8b93a1131ff0329e225fb3

SHA1
b3268d805b26e1b15808bdd990f5c2e488a48038

SHA256
4e0ae806f6374ab91881ab9e3d13470e55ec9d1995a45b58cb34390a24afce9d

SHA512
e2eb0106887ed9f1f975a0ea4b9e728db83aa76c77131471ed97b0fba9891c1a0a0dfd74f6a6aeb2508ec1927b2874cc1da72ef11a829c836fd13af4c5014ea5

Download Submit
C:\Windows\SysWOW64\xhkckquwqliicks.exe

Filesize
25KB

MD5
8928cc5fbab1fa4a53e095a6fd98f216

SHA1
36cea69c89cc6a917b99b2c2ed9995063b495ab4

SHA256
90212a5d0b9c00c33c1960c0cf1777da3fe1593c165051a390766f943f8492e2

SHA512
e72f7a9155e0397b40bae85e468372fc1ffc045117d392eb444d1d356c51a08b8c5943fb3067a58a04537e711ad86556d1cc3522bc107a0486d1131c2e62b438

Download Submit
C:\Windows\SysWOW64\xhkckquwqliicks.exe

Filesize
45KB

MD5
76352c23c9734c31dad24562b48f1441

SHA1
ead4428509de889aec629666d89e9f6c2772bfc1

SHA256
5db59108df787d06658d110daf8b6285dbb9b8f01c3e8f7ab7d5825f6d2d8ed5

SHA512
6c67d0d417653778f27b742982f7b65df8cad0d8613cdbea147e39d4b254dba8b2ab72cf27cdff5fd59d67ce7d2ebffc4cd2626f33cedc5830a22c439cb614c2

Download Submit
C:\Windows\SysWOW64\zlnfdgynxkduc.exe

Filesize
70KB

MD5
4d6fe39cc51e36a1fd1326c42bf74f29

SHA1
e809875b2c1f6319aefb23eea1decd0b17844349

SHA256
074d1dcbedd905a2223dac9af5adad888b6834509fe40b60164281e0ca837ee2

SHA512
16addd6e3cad8c5e322ca8a94d150827e94021596a0494ea4d6945eca45fafc90c8ac3dd8dd38d10968b3b78fa5d1071fa1bffa5bd84023edd14ea13fa89a9fc

Download Submit
C:\Windows\SysWOW64\zlnfdgynxkduc.exe

Filesize
34KB

MD5
4185f9696b6169611de7f2d273f004fb

SHA1
d15d4d6d00bed384ddb193678a45a8583cb73ecb

SHA256
f8c798eadf99a01c456cf291016796ca8157c85d9be3b42dbcfb94161f8bdaee

SHA512
3cc2605105569b38f02731c4289cc7db8a5a5757015c565a360786488d2cb2249191a32808e4c6e5d551c4a69a832455f5845ec3e83fd0809813e8a5a2366431

Download Submit
C:\Windows\SysWOW64\zlnfdgynxkduc.exe

Filesize
81KB

MD5
18fd81a27c5ef7305d85a4f508c07a20

SHA1
8e582f8d240a4638da2738ded5466ec792184ca5

SHA256
c7f37319611c68fea5c7b6f3117cc812cd800ec6bd46978d4056bf8a82124bce

SHA512
4276e69c0784632000a0d5c91039b1009689c9622abd251ae82f036cde73abb0887fe193b9d68ade2f7bea93e009a2d806027c8e689db0a73f781e903a9332ba

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bbojsyhoab.exe

Filesize
64KB

MD5
a2ebd600260d6a33e0f98c1982ba3ed1

SHA1
8e132a98c9695b976dca8d6ba26b4714c73286bc

SHA256
e3b9f825d571e9bef90904aeea1014c1fbea1c0e8be3fee7b2485eb785c83f9b

SHA512
6368a7f200cf45de9683d72b355f4cca3eb6f64a44edd0b2b9df293064171a02b3f824964e6509b14e4fbb8d361ae53c4d173f90e5f5d21a33202183731e91a7

Download Submit
\Windows\SysWOW64\ofewqcnt.exe

Filesize
30KB

MD5
992803d06ff88bb3d3bebd308e051a62

SHA1
6dc5f7dd066ca38c8f9d41f929c465a4eb19eea5

SHA256
0dba37f653ce75a5538ffe159ed184de8debe92bc1211adf9fdaed23d7170ba8

SHA512
71caa73e4d5cadc18a3405fd5af32d0eabbc5535fcda017b61f650fed9b679ba9fcd5e3524ac8e94bafec509f0a66c14737d1975170f5a234c2e03b2f4e98654

Download Submit
\Windows\SysWOW64\ofewqcnt.exe

Filesize
38KB

MD5
15b6b4511f11b4e5974330703851a6bf

SHA1
434894754fe7b2877dc94c541270fd9f23b6ee63

SHA256
8e85445142afa386f2b8c473c884de7026197ded94cbbdd8754c0d02175ce57f

SHA512
7940ea8334f7a747d25575e3098c154426745888a13d768bd091cf8cc839b7c73ce78918eaedc46043dfe1132ae516321d24bf3d467ce2b30703c3c1071da57d

Download Submit
\Windows\SysWOW64\xhkckquwqliicks.exe

Filesize
43KB

MD5
ba21ebf44429d1e20d710c79c5992183

SHA1
2be85b4401b90e159560a6e0f3a314d6207051d7

SHA256
c105a1246e92e36d9aa11478415a927982b1677742cb67c6e59b5e74da2da473

SHA512
3bc1e1c3715bf16a0c5eb8ebe847113be6855f4cf21d52187b5a304992560dff2fcda8892b8de51ae2d0ecfa49077019a56fa3bc03da09ae7935c06d0f54b7fb

Download Submit
\Windows\SysWOW64\zlnfdgynxkduc.exe

Filesize
32KB

MD5
79f3c1aeceedce162006de7f366dc8b1

SHA1
38830dc25f40e38b6102fc8879996be138aa75ec

SHA256
03bde552c2edf9723a27aaac6470d109ffd181a92ab4c185706231fee70f334f

SHA512
f79e686db8ab7ce1ebb82bb3fb8070cdf65a2135a1110a740e140d91a5dc6b648466fd83ed0a4cd2fcf878ee397d3b4b02ac9176d060e32be3128a14dcef07bc

Download Submit
\Windows\SysWOW64\zlnfdgynxkduc.exe

Filesize
78KB

MD5
b94efeddeda07094921766da33725b17

SHA1
a4a10675dacb67e413b693288336783927c9773e

SHA256
8a1c6beb9a3c526f56801bd0a3c4c5724f897178638aa46514077182cc174201

SHA512
2c765b9131dd4fd4f309e0c3aad986128a58495c82a030cc9aec8d0e67736496f8444b1d157809d2167386c43f703df30854b6f710912022a67bb55bbfe81c4e

Download Submit
memory/848-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1120-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1136-97-0x000000006FE71000-0x000000006FE73000-memory.dmp

Filesize
8KB

Download
memory/1136-96-0x00000000723F1000-0x00000000723F4000-memory.dmp

Filesize
12KB

Download
memory/1136-101-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/1136-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1684-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1712-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1712-86-0x0000000002F20000-0x0000000002FC0000-memory.dmp

Filesize
640KB

Download
memory/1712-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1808-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1832-77-0x000007FEFB151000-0x000007FEFB153000-memory.dmp

Filesize
8KB

Download
memory/1844-91-0x00000000003A0000-0x0000000000440000-memory.dmp

Filesize
640KB

Download
memory/1888-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1892-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download