fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742

Analysis

max time kernel
1s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Size

255KB
MD5

47944c0209f656e1f13696740e76b7bd
SHA1

af63487dc88aab1defb05e11e72020521b5a7fda
SHA256

fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742
SHA512

a04de9a52753b76a5f69dac50102e30ce97b09b4cb002433439c7c2687b864bd6d4a98b902905fa887259d465e370f64f5f72ae2967ac7418a0c8b1a8957f232
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJG:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIx

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	zfcapyyxmy.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x00090000000126a2-60.dat	upx
behavioral1/files/0x00090000000126a2-62.dat	upx
behavioral1/files/0x0008000000012744-67.dat	upx
behavioral1/files/0x000700000001311a-71.dat	upx
behavioral1/files/0x0008000000012744-72.dat	upx
behavioral1/files/0x000700000001311a-69.dat	upx
behavioral1/memory/340-74-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1356-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2016-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000700000001311a-84.dat	upx
behavioral1/files/0x000700000001311a-82.dat	upx
behavioral1/files/0x000700000001311a-79.dat	upx
behavioral1/memory/1740-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1320-76-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0008000000012744-65.dat	upx
behavioral1/files/0x00090000000126a2-64.dat	upx
behavioral1/files/0x0008000000012744-88.dat	upx
behavioral1/files/0x0008000000012744-86.dat	upx
behavioral1/memory/836-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1344-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/340-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xxupwrlqyilwdjm.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File opened for modification	C:\Windows\SysWOW64\xxupwrlqyilwdjm.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File created	C:\Windows\SysWOW64\mlppxfal.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File opened for modification	C:\Windows\SysWOW64\mlppxfal.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File created	C:\Windows\SysWOW64\wnsronhjumbwj.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File opened for modification	C:\Windows\SysWOW64\wnsronhjumbwj.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File created	C:\Windows\SysWOW64\zfcapyyxmy.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
File opened for modification	C:\Windows\SysWOW64\zfcapyyxmy.exe	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF894F5A82139137D7297D9DBDE7E637594A67456242D79E"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC5FE6921ADD178D1A88A0E9165"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60C14E5DAB4B8C97CE3ECE337BA"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C7E9C5183276D4577A0772F2DD67D8365AB"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9BCFE13F299840C3A4386973E90B3FD02FD4364023EE1CA42EA08A7"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B15F44EE38E252BDBAD432EDD7CA"	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1320	340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe	22
PID 340 wrote to memory of 1320	340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe	22
PID 340 wrote to memory of 1320	340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe	22
PID 340 wrote to memory of 1320	340	fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe	22

C:\Users\Admin\AppData\Local\Temp\fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe
"C:\Users\Admin\AppData\Local\Temp\fc2a274a54c1c0db5fc6ee2579b8889cb128148b96b46923f29e6d41f5b4e742.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\zfcapyyxmy.exe
  zfcapyyxmy.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- - C:\Windows\SysWOW64\mlppxfal.exe
    C:\Windows\system32\mlppxfal.exe
    3⤵
    PID:836
- C:\Windows\SysWOW64\mlppxfal.exe
  mlppxfal.exe
  2⤵
  PID:1740
- C:\Windows\SysWOW64\wnsronhjumbwj.exe
  wnsronhjumbwj.exe
  2⤵
  PID:2016
- C:\Windows\SysWOW64\xxupwrlqyilwdjm.exe
  xxupwrlqyilwdjm.exe
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:1496

C:\Windows\SysWOW64\wnsronhjumbwj.exe
wnsronhjumbwj.exe
1⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wnsronhjumbwj.exe
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mlppxfal.exe

Filesize
22KB

MD5
f866dcf344939e03a4734525a69c7b7e

SHA1
95d507a3eadafa5889bd5320d8a88a3832cbc7a6

SHA256
11c32b6b76ad7b8f44f5992e3425a61022855f35deae773e2aa46d8b78d23603

SHA512
e2790fd7ded07173ce237ccc0d2401c4026025b74ba14e43b17e313e0a4a4aca55fccc57c36d9aaa31d922fb8b2624fbf8d042facaa8355111ba245888f4f7aa

Download Submit
C:\Windows\SysWOW64\mlppxfal.exe

Filesize
25KB

MD5
540ea2f117e848c3f3dc1757333035bf

SHA1
43bb2b04ef07330c9ab156583cfc56dcb0659e40

SHA256
c84438250a0fa16ff9563113f2c006f54441ee518ed8b4525ac97efd6ae4d444

SHA512
1b59fc333c1b0533d4ebff709e84b047c885a434454624746bf5598db16e41e2ef8ecbbc75ba887dc49b28ed1a7806b761e83cdb014963af32f255f83cd6ac3b

Download Submit
C:\Windows\SysWOW64\mlppxfal.exe

Filesize
7KB

MD5
15fce18614bc5a6e5facc042acc394a0

SHA1
5b16933b00a1bae15cbea005cbafefe2dbc770e0

SHA256
4ac7f76949545a51bbadaae77d23593abd084f8b13bfa18e5cc27bc50ddc13c2

SHA512
8899493dbc63d25ee2e88bd77b55ff665d24adf313a40808573a02c76158f8dede4298ec1debed23fe2e9d27131a3c5763bb5aedbd13a649dc212dce924a7054

Download Submit
C:\Windows\SysWOW64\wnsronhjumbwj.exe

Filesize
7KB

MD5
0c1397c1e96068645a2b9781694028ab

SHA1
2035bb25a35637a84c1675fd7892982e21c1efc8

SHA256
bf2fa264bd31c628d8895ba861a05e8fb4e4dc1882a8eeb60f4139bed5e7da37

SHA512
d3855adf5976e57abdc5d8bcdb04b074fd6eee0dc965472331300043fbdc6378dc8d77f2b765ad6e50403ec96a34548dece576d2e4730722a309cb0c76ca7dfe

Download Submit
C:\Windows\SysWOW64\wnsronhjumbwj.exe

Filesize
40KB

MD5
bfb1c66a9fa042089112fe1547f97bd4

SHA1
295c55153079e65dc54c2d5d442c065e334681c4

SHA256
785e1c96a7621c4fc717c35cce1a52814188f6214685e4fd8dc1e763eb901974

SHA512
de65710581152678c6b5d5dc94c16d1dd67fe31307f0031fe6080b4428fffe5da95e9269a85493f75278cd191264bdeb4044d1c21847e3682b326eaa60615ba2

Download Submit
C:\Windows\SysWOW64\wnsronhjumbwj.exe

Filesize
3KB

MD5
1640c5346ae7a1cd37b6cd9f91de306c

SHA1
871d9bc6e94e9f515ebd1edb694de5a0f60e9ccd

SHA256
0e5b5011b279780c8f4f4b8fa0506c966fbe43c4dbfa5b1c2a6dc85fcbb364a2

SHA512
1bd881dc780dc15c38c47364dc9ae722897bc8eeab73f9ed8595552912fd2a7d0f4c6f9fa3931f97c32016d0461167b289c362400ba56d4373d3226541bc3df2

Download Submit
C:\Windows\SysWOW64\xxupwrlqyilwdjm.exe

Filesize
4KB

MD5
31169082ab288516eb654ae20d8a3244

SHA1
49ffcf51e21f62c00a7e643b6ead19cd3b689f1f

SHA256
a3bf722ac24bfa6edefdd9daa8ed156d504bbf28faab217afc617ae847dff406

SHA512
2b15cddad4950e409570ee3d5ee15df4cb31fc89a4f2c0865071576bca5eb1950248f780f121c8510062574272cc488ac773c0f84ce12b30063a273efaf7b973

Download Submit
C:\Windows\SysWOW64\xxupwrlqyilwdjm.exe

Filesize
6KB

MD5
c7cd5ff53dd5af856b989dd8772685e8

SHA1
aca56a995d8e42ef599faf1014381d8741ec9da8

SHA256
0373796849a4fe19a7387852bfb3afe83c40936267654b76e980081c257cf1c6

SHA512
0583d9f246b0a7a3b73c8c7f0bdafc705ccbad95a12fa483366183d3b0aae42d9ce5fc20db8f5ec99c0ce50d9b1735d7c9e0ee6f598c2c10b5a5fd7ac60cdd2c

Download Submit
C:\Windows\SysWOW64\zfcapyyxmy.exe

Filesize
6KB

MD5
e4a7dfae0923cd5a9f26ee52302b0019

SHA1
7fe2ee3019ba7edadefa743f1919a3ca9344a5e1

SHA256
f4aed63f5c76c319ed16b904e35d305cd8b783d42b6ef18b9c464715d6c7ad89

SHA512
fd4d25c53fa59728d978d44c136ade655333d736f395a2e46c17cfe4c5b326e985bd7aaab06d2eb2c0567948ce2c6217073c3072a616b4e3390ef88cffb78e51

Download Submit
C:\Windows\SysWOW64\zfcapyyxmy.exe

Filesize
82KB

MD5
39da70b3e2b06eaf1528a0753aa80d1f

SHA1
4a1023f4b5da60520b26a37a68d84418e137cb61

SHA256
2c21adfb4d3a59384c861df06c6a71b25f86e8997f2875745cf09834da49989c

SHA512
e0a152b473c638c78a6e17418efe6f3d9c5c902221e3a045f4a379d784806c6cd145120814c94e8054abdfaa25f52cbba69d80b23c9dc9743257f905d1b062a7

Download Submit
\Windows\SysWOW64\mlppxfal.exe

Filesize
21KB

MD5
77989e7ba2d103306b626092a6da8598

SHA1
b949b6214707150010799faf685de4c2794d0723

SHA256
24809c7455f94a4b5a47e07cae774615941f6b47b2610572376dd0b9d6368b69

SHA512
b426ea76b39e3f66339240f6f03f751f0726c7567f417cafc498bb80d391817354826efa7f1484c13eb6e54bfc4235a876974b918d858aa730989cabdf029a48

Download Submit
\Windows\SysWOW64\mlppxfal.exe

Filesize
24KB

MD5
53c3588cb645aff28cc0740f21fd5ce6

SHA1
292c0cbffd6952f32e89ecabb29ef91d0940bfc6

SHA256
e98b02d040faf543247f092a586f2b6c209fb6201ce3e7542e25dba6c1d5b08c

SHA512
936f9a05567d6ff104d31ea6305323914e386062471e286de187a8e6576caa9fc699e88519448eeab6e86d97d7c6a77c37d1888a482e67ac9291dc7b3cafce06

Download Submit
\Windows\SysWOW64\wnsronhjumbwj.exe

Filesize
21KB

MD5
3593cc228afa2bd6c827b64cd17a649d

SHA1
5d7dfee77fbd516e7426cfe0206cd0e6284a6127

SHA256
feb9cd9500e2d89885721d1acfa112da24a5bf99850280fffeee8a61746090aa

SHA512
036e1e82284310e6cf5f9ce21e4e0be78027569d717c25992be2122993cd7bea44c263431f73acaa8b24cf9d2ae235dc8a859fe9522d1054d161de1b17c1bfd8

Download Submit
\Windows\SysWOW64\wnsronhjumbwj.exe

Filesize
17KB

MD5
9e52198dba852c2c2059a7e6b653b051

SHA1
f0236a634953b7068bd64b4d77633e5182e326bd

SHA256
43944a4a75aff10cfa5d5f85a28d48360e5844960942b6d3c3bbb3e447460f04

SHA512
e50d4ea8682e68466ff03dabafa75ca51c6e3e391f480774717bfb42c5d5cd9f21abd186cb9c0a0a4636444f64282f04f7a123b664ba7041fe5e4a3f7e78c609

Download Submit
\Windows\SysWOW64\xxupwrlqyilwdjm.exe

Filesize
41KB

MD5
18decd3ff457bc0034888c23405add5a

SHA1
5b1d54643c3a224e25b4209bcd4dfa2bd9435e61

SHA256
e972dc8397b036109f86e732cfd1fd319b77812b0eeaf20883ec5b4c2b7970d9

SHA512
38e196d9cc6d4dbb052aa972bbadc56d2b7aebba03b4ffd6107f785dfbb58362197e35d9bab9f6b7432cf3780f077bcd8523bbad5a3b7f16e1b4b1cfdadc4858

Download Submit
\Windows\SysWOW64\zfcapyyxmy.exe

Filesize
4KB

MD5
fbd28d15389c67d79d4361adf505cea8

SHA1
b0ff8daf48cb8d31cba8caaf30fd31bf6c83a39a

SHA256
519876d3af479dc68b92cf00a33aa034b9a7a0eed4142ea0d412be4363f5216c

SHA512
84ccd392355ff337341bd9655c18767e87f5c8f12e423e27bdbc53905e3f634946c6ec26b3c1582451c223ffbb7f60be288048a2fe589d68b237d73fc45271e8

Download Submit
memory/340-74-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/340-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/340-75-0x0000000002E90000-0x0000000002F30000-memory.dmp

Filesize
640KB

Download
memory/340-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/836-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1320-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1320-90-0x0000000003880000-0x0000000003920000-memory.dmp

Filesize
640KB

Download
memory/1344-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1356-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1740-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2016-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download