2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d

Analysis

max time kernel
26s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 04:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Size

255KB
MD5

27aa4494a1f7ba34d359eba10c98b1d9
SHA1

82dda9f760f8777719e824ac4b63d8bec8933477
SHA256

2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d
SHA512

34fa1624a0f452b661e5966fd55623021941b269eef6031e32ae79c0b9c11803bea2698b8182bee06eed37e03d1e27efdde05ad6ecd78abf5dc80fffc67245d7
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJs:1xlZam+akqx6YQJXcNlEHUIQeE3mmBId

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	oaqeujxpvl.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x000a000000012302-60.dat	upx
behavioral1/files/0x000a000000012302-62.dat	upx
behavioral1/files/0x0008000000012310-65.dat	upx
behavioral1/files/0x0008000000012310-67.dat	upx
behavioral1/files/0x0008000000012314-70.dat	upx
behavioral1/files/0x0008000000012314-77.dat	upx
behavioral1/memory/388-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1704-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1772-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1324-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1340-80-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1748-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0008000000012314-75.dat	upx
behavioral1/files/0x0008000000012314-74.dat	upx
behavioral1/files/0x0008000000012314-73.dat	upx
behavioral1/files/0x0008000000012310-71.dat	upx
behavioral1/files/0x000a000000012302-64.dat	upx
behavioral1/files/0x0008000000012310-90.dat	upx
behavioral1/files/0x0008000000012310-88.dat	upx
behavioral1/memory/1684-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1748-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zujraaakvqwlg.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File created	C:\Windows\SysWOW64\oaqeujxpvl.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File opened for modification	C:\Windows\SysWOW64\oaqeujxpvl.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File created	C:\Windows\SysWOW64\qpagokjpvycumrz.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File opened for modification	C:\Windows\SysWOW64\qpagokjpvycumrz.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File created	C:\Windows\SysWOW64\bhwnrhhy.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File opened for modification	C:\Windows\SysWOW64\bhwnrhhy.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
File created	C:\Windows\SysWOW64\zujraaakvqwlg.exe	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9CBF917F1E7837F3B4A86EA3E91B38903FD4312023CE1BA459B09A0"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15B449039EC52CCBAA1329DD4CF"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC82482A82139140D75F7D94BDE6E634584666406332D7EA"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B3FF6E22D8D10FD0A28A759010"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC70B15E7DAB1B9B97FE5EDE737CA"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C799D5783236D4276A1772E2DDE7CF164AC"	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1340	1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe	28
PID 1748 wrote to memory of 1340	1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe	28
PID 1748 wrote to memory of 1340	1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe	28
PID 1748 wrote to memory of 1340	1748	2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe	28

C:\Users\Admin\AppData\Local\Temp\2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
"C:\Users\Admin\AppData\Local\Temp\2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\oaqeujxpvl.exe
  oaqeujxpvl.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- - C:\Windows\SysWOW64\bhwnrhhy.exe
    C:\Windows\system32\bhwnrhhy.exe
    3⤵
    PID:1684
- C:\Windows\SysWOW64\zujraaakvqwlg.exe
  zujraaakvqwlg.exe
  2⤵
  PID:1772
- C:\Windows\SysWOW64\bhwnrhhy.exe
  bhwnrhhy.exe
  2⤵
  PID:388
- C:\Windows\SysWOW64\qpagokjpvycumrz.exe
  qpagokjpvycumrz.exe
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:544

C:\Windows\SysWOW64\zujraaakvqwlg.exe
zujraaakvqwlg.exe
1⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c zujraaakvqwlg.exe
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bhwnrhhy.exe

Filesize
27KB

MD5
e9e2c2e7bb51d0deca9598e1e90aa1e5

SHA1
ea43fc98ca799858771860daa3ab11470824d3a0

SHA256
418d5cefcc2047f6732ebb7b0fcafbdcfcc85ada68b1448e797c220b00d0df59

SHA512
de615ad60cb741e3cbc1bec0791fb3f912ab12126ede16e4c105e0742fd67cff966a8e389cceafd79b773b6e9f4bc1af146ca9712e64d3e222546dabee7afcb3

Download Submit
C:\Windows\SysWOW64\bhwnrhhy.exe

Filesize
11KB

MD5
e7f73c9a2f19f65ac70259f5a26e4277

SHA1
52bc8eaa062db63d80ae163e0bac33f6d4140f3f

SHA256
10b6d7f74f942da9bfd24e5bdb7aee24cad9db8ef6eaa99a7f90a7cd6623d569

SHA512
2f00a0425c50714503f031533e0bb049973ad2eb95f550e209840ccc8f3fd99ec39dec709989c3ed08fec9f7a69b345b567062b57a83a5e8c9a36f0bfcda5c94

Download Submit
C:\Windows\SysWOW64\bhwnrhhy.exe

Filesize
33KB

MD5
42653400bea95def2bdfcefe1043691c

SHA1
68fd674aca4e1789f735d3e43f259c3b2573ead1

SHA256
d2b6e2b0e2c3815ee806ee7046b3107afc175623ac7fdcc141425f603e058f1f

SHA512
f23a321b316dc847ef8aac439368f47db3725f7f3988033eddbfeeca5ab06ab94801b153d24eb2023448b731baba6691c9b89e1d8175129942ce82905e0f6812

Download Submit
C:\Windows\SysWOW64\oaqeujxpvl.exe

Filesize
23KB

MD5
a2c10f13badec635114fe4fd5a7ee164

SHA1
723feb82501b0a30d5fc7af5e8fab3c08ede8b27

SHA256
cac173ce7ad687dff3cf8665f32b150b9a94452b0bcd62f5505c6dc1092d60d2

SHA512
49d866e8fbf858932e9f50fbfc4e2ddaa93a76653914fd80dde07ec05b5cbf9a63e89de61cc0fc2f70e8868112197b5895a89428c5313f53cb510524ab523699

Download Submit
C:\Windows\SysWOW64\oaqeujxpvl.exe

Filesize
15KB

MD5
92131546d87479ee7706bd6bae4e938c

SHA1
0c56f717e7c4213d8c017a566e1ea2232efbb903

SHA256
27665b292bb59108fd4a21ec68f46f6548efb76a4ae8335d31d43f3240080de1

SHA512
2320babc7586057e244d6de7c945c120a606bf98a89601ca7410dfea9a8078ebe98aa3fe839a60d06d6166a354fc3a53f115ed6abc0501a2478d87760d202379

Download Submit
C:\Windows\SysWOW64\qpagokjpvycumrz.exe

Filesize
39KB

MD5
929029af6bb6a2d9fde46e2556dba4a0

SHA1
6ffbedad2f98b31d637bbd14b34a48c43f5924c3

SHA256
8d62c00592252619cf25a77091f683a615f1ad76d7ae8e33c525628d968506f4

SHA512
9c4e52d8c41868cbde75a78ecab1a4c894af1b4024a2302055e88e255fb7c67e89cd8de8672e54ea3ee5c9fc25a51bcf1099e66ebdd7eedfb2d45718819a209a

Download Submit
C:\Windows\SysWOW64\qpagokjpvycumrz.exe

Filesize
18KB

MD5
d339b7070972a66c7c174d237a16be7d

SHA1
d0929868621c6bb58958d76a3c12c3da6d5e6dbc

SHA256
5332ee821fce472042876734ae583cf49983ce1b5b10960256cbb5bb0f384871

SHA512
59bf7b52063611fd5195f6738d70f3157726e92c56664336feb59bd0618de98f6399059ddb8f8cc27386bdc2c6bb082945344ad6cd02fa8d81599acb741ebfca

Download Submit
C:\Windows\SysWOW64\zujraaakvqwlg.exe

Filesize
47KB

MD5
cf647382d40c1156dc671a457002d8b5

SHA1
6b054ebefc03a6a59bf6ae329b2c4f1b1426f20c

SHA256
90e17b7e31b28489292eb391c8e6129e0b561afd6c6db40339062369b26f9a75

SHA512
fc81e00612307e6621d2a6b46c2f834bbebed18ef8e6029fca891d142f7840c9c6e59965b182f952b88b815151dfa618a62f8b6f39b22fa2ebcd836bf15d45ad

Download Submit
C:\Windows\SysWOW64\zujraaakvqwlg.exe

Filesize
12KB

MD5
7ee29f6f33a6736fc0e9dc5359cd0476

SHA1
05436780d9588bdbf845331d0650bcab78e7f3f1

SHA256
b4cef361d07039ef53e1ee6b3f17e488b71ef8bd9fac43b684713c1b8542aa13

SHA512
8be09292eb76771a3b5316b214ce01cb02c8d474e3821e3032e2939bae1fc56df87263b6f6e5b5c777db30a65b673232b9a80cf58f3a64fa5a6f783669db99da

Download Submit
C:\Windows\SysWOW64\zujraaakvqwlg.exe

Filesize
9KB

MD5
a11d358f6098a750d5fb61dc936859bd

SHA1
12f4afcd0e62ddff1c753ecfa605edb0456322bb

SHA256
969cdcac1382858c4a15f49dac7772be3e1ecb661b01a0705bcd375c5783346c

SHA512
818d01255b3f9b6a17680a707beef9a099c9f63678b0e32e20d5317286dd55afca92b14f6843de0604bcbe6214e25d2559abf52469553a273c2a3d727bd56229

Download Submit
\Windows\SysWOW64\bhwnrhhy.exe

Filesize
19KB

MD5
5c98512d9cb0a84a49167f6f3df761f5

SHA1
0d1aa07cb53febfb035586cbcf986e16b8b74b2f

SHA256
ed4e1ed0332810c51d59b5fd1ea744a2269c6d8a1ad255d704dbac3675768abd

SHA512
face99765cd35bb22032ff20f8802bea4bd8c2e1535a6c6cd8d11ae6e8d75ae565536328fddeff03932d511727b13397741d63a5e7e24c2fc8b6bbd7467c5bee

Download Submit
\Windows\SysWOW64\bhwnrhhy.exe

Filesize
43KB

MD5
6ccf6879dd2ee009f815acaf9f738375

SHA1
c78e15c9909c5b010c40d1d28b5a611b9440ca6f

SHA256
0b428a36c9baa2bf67af13559b26b6daa1dcc355133ffac1e631efdc8f9a2937

SHA512
949d5f5afb7f0a97fbd905cc44ac0d4a1d66f54eb89db6cd0d000d87f71c5923e9a07a4cc2f13cb599bb42ed276d2daa4aac1b0ba33b07905ea8e781666e7335

Download Submit
\Windows\SysWOW64\oaqeujxpvl.exe

Filesize
16KB

MD5
ecd88795249c9a393a7c9a4dcf4e3c7a

SHA1
67e96f7d51cfc681965e0e732fcd60ecdc408959

SHA256
485e291464535a5ab37889435b65b2f71eb7213915a79e1edbddc34f7c3ef98d

SHA512
6791ee4ab6ea7291d8ef6a6782970382e34ebf985e723270c3f7d09405cd1787233c50b0b77738997cee7ca6c73695e4aaca484a2e90f7caa8728101d4b5587c

Download Submit
\Windows\SysWOW64\qpagokjpvycumrz.exe

Filesize
24KB

MD5
96c5e53360fbcadb5467077a3db7c299

SHA1
1faab016c204898959c11bb5b0c41550786785e2

SHA256
052d284eb356bac4d8c6abf1c25be0d94dd3726c5693941c317e1e9f95d79299

SHA512
f9ef1212ece521a5bf8f8579cbac78384cdb5d7561aa7454e6df4d58e0b7168b88d60c43f409d2774ea84fb7a540ca50792f1f6de69e2e0665ba3866608083f9

Download Submit
\Windows\SysWOW64\zujraaakvqwlg.exe

Filesize
25KB

MD5
70877d659575657551006fc2eef7b5fc

SHA1
6e8c0fa9aa60a845145b7e846d44a3e1bb5a6e62

SHA256
b6828083fef9fde3fff335cb75ed39a5b938a1b21043c6972cc330f79ee8f1ce

SHA512
9c8579c8e74ba6ed7558fc8b8417349c70fa3633e40f0f273e2b27fcd554a7423c147770f25440b3291de9c4accd402d29090f8e8b36d794487b85c3e1bbed86

Download Submit
\Windows\SysWOW64\zujraaakvqwlg.exe

Filesize
40KB

MD5
63f409a48e1249486e0ae45a521a0bc4

SHA1
b04bc091f65ab2394a1b96a2a510f3465fafa717

SHA256
e934f325778fccda85e22a57a15ee5385e2f6d25006e25d909e540166a0001ae

SHA512
58c8d50f5504efac613edf0d7df64896f930d88f7e9a9edb6de597b9f0144fb50e30626a563f9ec8eca06504b3ea575359c58f3a81d467b5d1004292b0b9d71d

Download Submit
memory/388-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/544-96-0x00000000725F1000-0x00000000725F4000-memory.dmp

Filesize
12KB

Download
memory/544-97-0x0000000070071000-0x0000000070073000-memory.dmp

Filesize
8KB

Download
memory/544-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/544-100-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1324-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1340-80-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1340-94-0x0000000003D00000-0x0000000003DA0000-memory.dmp

Filesize
640KB

Download
memory/1684-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1704-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1748-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1748-79-0x0000000002470000-0x0000000002510000-memory.dmp

Filesize
640KB

Download
memory/1748-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1748-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1748-82-0x0000000002470000-0x0000000002510000-memory.dmp

Filesize
640KB

Download
memory/1772-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download