Overview

overview

8

Static

static

8

2c665dcd2a...9d.exe

windows7-x64

8

2c665dcd2a...9d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    21s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe

  • Size

    255KB

  • MD5

    27aa4494a1f7ba34d359eba10c98b1d9

  • SHA1

    82dda9f760f8777719e824ac4b63d8bec8933477

  • SHA256

    2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d

  • SHA512

    34fa1624a0f452b661e5966fd55623021941b269eef6031e32ae79c0b9c11803bea2698b8182bee06eed37e03d1e27efdde05ad6ecd78abf5dc80fffc67245d7

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJs:1xlZam+akqx6YQJXcNlEHUIQeE3mmBId

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe
    "C:\Users\Admin\AppData\Local\Temp\2c665dcd2a8786b49c29239c04c0d5c147b76128da33b6e780a215705f99279d.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\zodyhcesaxgspnr.exe
      zodyhcesaxgspnr.exe
      2⤵
        PID:3524
      • C:\Windows\SysWOW64\hmhvjggmufxpz.exe
        hmhvjggmufxpz.exe
        2⤵
          PID:5104
        • C:\Windows\SysWOW64\ldbrvsej.exe
          ldbrvsej.exe
          2⤵
            PID:1092
          • C:\Windows\SysWOW64\cwesaxmotf.exe
            cwesaxmotf.exe
            2⤵
            • Executes dropped EXE
            PID:4764
            • C:\Windows\SysWOW64\ldbrvsej.exe
              C:\Windows\system32\ldbrvsej.exe
              3⤵
                PID:3152
            • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
              2⤵
                PID:3596

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\cwesaxmotf.exe
              Filesize

              19KB

              MD5

              bbf56cb03902a6f95ca26e761f9cd60b

              SHA1

              021a2839d434e6f3288d2ec0e5fb5ed2d48d18b6

              SHA256

              b90021ffe78f5611d6aa4c5bf6582df6c64548ea9909307991e667951323dc14

              SHA512

              07ca793f74aff86f6929e09008a9d72fa0dc80d884354c8a1f8a56061c3e50204b323cc74c91ee2c0370510252d48135cc2757aa54357d2e758f052acbba151f

              Download Submit

            • C:\Windows\SysWOW64\cwesaxmotf.exe
              Filesize

              6KB

              MD5

              aab6379c6de6d92fcd7be1a3fd3fdde0

              SHA1

              4f366d20ed9e05e776b1f44b90c0481a18df353b

              SHA256

              71085408b6c6c50e00f946459c6c782aa08956068544e503a1e28c2702037ddd

              SHA512

              259259b8d1a92582c32a4c3cc3546e9cd6da70e5e1829093d45a6f4e2c4bbf407082b9dba3dea67b78800445b0f7cc822be902b56679f7d2836dfb4a2f4b5297

              Download Submit

            • C:\Windows\SysWOW64\hmhvjggmufxpz.exe
              Filesize

              51KB

              MD5

              ee46a5dd0a894f5444335c5af0fb32dd

              SHA1

              84d2e21d9ac37b965b8baa0c0ebe470661bc9692

              SHA256

              4f1c958a7e248e270078bbd61607c39cb687873b222f5c1d77731c32b705766f

              SHA512

              5abfcb9a378fbe3521aa4248daa56639d7c660f46a15b55cbe75ab65cd68aaf119e53f7a8f76dc116dd56773d0555065e90b925b23aa1b063858889dd54bd83e

              Download Submit

            • C:\Windows\SysWOW64\hmhvjggmufxpz.exe
              Filesize

              4KB

              MD5

              1f6afd9d56e9c43191ed95e1f3ee4eb7

              SHA1

              d077f9c4f9bbec7c9a3922efad349d082c4f34f8

              SHA256

              9e27c4d6f1a079d89cec1972db3d74764f0613562569e09b848442be8f1ae47e

              SHA512

              95ad7a9026605bc219164c4e7ca7af4d2e2a18a1ea628d53533028b4a4fb030b5ab1b2093255a4cd53159e184119f4e1721dc63a1eb1e5455c6c2d6f43bcc03d

              Download Submit

            • C:\Windows\SysWOW64\ldbrvsej.exe
              Filesize

              7KB

              MD5

              21de9cd2415cf1ad1edd80782fd16466

              SHA1

              cf3f142f21ce189ed5aa843a2336381c29e41f8e

              SHA256

              37aad9296c980604bd7d2e8164b02fcaea260329bb3469fec82e81774097830f

              SHA512

              079b8504dd727c2edd81d3f3d7de65428505e2a1416eea02353dfbb7afc7f9eb99b40463149be0fba615ab50da8a223c4e3172642d57cfde6476b64a48e0befb

              Download Submit

            • C:\Windows\SysWOW64\ldbrvsej.exe
              Filesize

              29KB

              MD5

              e96a724dabb1fc05ee6a8d1f1ac2ea03

              SHA1

              8975a96ef8dc1b8d579d9bf8b982b70f93832640

              SHA256

              5b5140d3ecffa9623e7219c43ee14d230baf0972533a0ce64f8a19598ca9953b

              SHA512

              5835767055f68ed89cf9bd81e10d228a11a3e580acf839b6f09d2a621c6a957fdcc20f5e5d31d8ab15b8fd5a07ee03e53c33179665bc4d426e4483eb9245793f

              Download Submit

            • C:\Windows\SysWOW64\ldbrvsej.exe
              Filesize

              5KB

              MD5

              b7e6f537e17fc06a565c60f11ef9da56

              SHA1

              98847ca9a2110036bd41425ecd63e1d57fe6add9

              SHA256

              7189241c98988595f7eb47e5bbf66588a9772ce5fef07810b18badda2c817d2f

              SHA512

              b969e4365bcba6d44036cebdecedb79f42adfa0070831a159465fc1698a072dc93cc37a4379b86d622e46f439c3ba16919a2275652e6bd321a4e046817b2f520

              Download Submit

            • C:\Windows\SysWOW64\zodyhcesaxgspnr.exe
              Filesize

              56KB

              MD5

              effff353cb6ecebcfbba3c2e9413c894

              SHA1

              c8261daf7cf294fca0dca0d2b9e16eda658a50f3

              SHA256

              10204542d4d0b59ebfbfb536b542bd6650ab24645de1c9a76ba39ef15b057ffb

              SHA512

              b78e4ea52971402bd9af27074f1db7de14537aad4742e64749e774b8210cb526728b0c0c56298cd345b47bd62c3bcd69bf779d72fceb9a0c0ed00ac49cbe29af

              Download Submit

            • C:\Windows\SysWOW64\zodyhcesaxgspnr.exe
              Filesize

              24KB

              MD5

              ece43c52a6c3f3f9edeb5799e9cb7840

              SHA1

              61edc598496c2196248ddf777e3c1dc67ea1dc3e

              SHA256

              1fb0e89441135d9260f4de7b9ecf8ed7c0a8c2e27f33fe5ac9bb79842bb68315

              SHA512

              7e6c0d64ee1a13669f44e3cf095c5f9947b2768cb0d6d80c80332c78578f2d3bd148bcce6bc378dd80740ebf2adf14e4b45095df4ea206b9531618af75635652

              Download Submit

            • memory/1092-156-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1092-147-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1092-139-0x0000000000000000-mapping.dmp

              Download

            • memory/3152-148-0x0000000000000000-mapping.dmp

              Download

            • memory/3152-152-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/3524-155-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/3524-146-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/3524-136-0x0000000000000000-mapping.dmp

              Download

            • memory/3532-132-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/3532-153-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/3596-150-0x0000000000000000-mapping.dmp

              Download

            • memory/4764-144-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/4764-154-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/4764-133-0x0000000000000000-mapping.dmp

              Download

            • memory/5104-151-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/5104-142-0x0000000000000000-mapping.dmp

              Download

            • memory/5104-157-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download