9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c

Analysis

max time kernel
3s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Size

255KB
MD5

80eac3530070b2fdd724d5c64b2ee6dc
SHA1

ff01b00245f4117b2189f595726f50c80e70d4f5
SHA256

9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c
SHA512

3ffeabf65f4d7d879892344ba3bb64da5c92761e33bae03c5e0acc5c243d7c166fc060347d06d097e74c0ee179c2316b5ba85eedea238cae162f577a7f9dfc70
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJK:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1260	iwjuayxwvx.exe
4816	xxhnvvbsildbriq.exe
4680	kfjniofc.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4932-132-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x000300000001e64b-134.dat	upx
behavioral2/files/0x0002000000021b42-143.dat	upx
behavioral2/files/0x0002000000021b42-144.dat	upx
behavioral2/files/0x000b00000002171d-141.dat	upx
behavioral2/files/0x000b00000002171d-140.dat	upx
behavioral2/files/0x000300000001e64d-138.dat	upx
behavioral2/files/0x000300000001e64d-137.dat	upx
behavioral2/files/0x000300000001e64b-135.dat	upx
behavioral2/memory/1616-148-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4680-147-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4816-146-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/1260-145-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/files/0x000b00000002171d-150.dat	upx
behavioral2/memory/4932-152-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4528-153-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4680-156-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/1616-157-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4816-155-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/1260-154-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4528-158-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zxfnhyxxtxlqy.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File opened for modification	C:\Windows\SysWOW64\zxfnhyxxtxlqy.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File created	C:\Windows\SysWOW64\iwjuayxwvx.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File opened for modification	C:\Windows\SysWOW64\iwjuayxwvx.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File created	C:\Windows\SysWOW64\xxhnvvbsildbriq.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File opened for modification	C:\Windows\SysWOW64\xxhnvvbsildbriq.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File created	C:\Windows\SysWOW64\kfjniofc.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
File opened for modification	C:\Windows\SysWOW64\kfjniofc.exe	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D7F9C2382236A4677A0772E2DD97CF165A8"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9BCF965F197840F3A4786993E92B0FD02F84313033BE2CC42E909D2"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B12C47E439EC53BEBADD3293D7C5"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFC8F4826851F9130D62E7E9DBCE5E63658306734623FD69D"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB2FE6F21DAD27BD1A88A0C9063"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60815E3DAB5B9BD7C95EDE237B9"	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
1260	iwjuayxwvx.exe
1260	iwjuayxwvx.exe
1260	iwjuayxwvx.exe
4816	xxhnvvbsildbriq.exe
4816	xxhnvvbsildbriq.exe
4816	xxhnvvbsildbriq.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
1260	iwjuayxwvx.exe
1260	iwjuayxwvx.exe
1260	iwjuayxwvx.exe
4816	xxhnvvbsildbriq.exe
4816	xxhnvvbsildbriq.exe
4816	xxhnvvbsildbriq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1260	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	33
PID 4932 wrote to memory of 1260	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	33
PID 4932 wrote to memory of 1260	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	33
PID 4932 wrote to memory of 4816	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	32
PID 4932 wrote to memory of 4816	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	32
PID 4932 wrote to memory of 4816	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	32
PID 4932 wrote to memory of 4680	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	30
PID 4932 wrote to memory of 4680	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	30
PID 4932 wrote to memory of 4680	4932	9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe	30

C:\Users\Admin\AppData\Local\Temp\9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe
"C:\Users\Admin\AppData\Local\Temp\9ed8ff7fd2ab2c2532cf23f6fc2e2745debf955482abd0b785342ebe1a86798c.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\kfjniofc.exe
  kfjniofc.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\SysWOW64\zxfnhyxxtxlqy.exe
  zxfnhyxxtxlqy.exe
  2⤵
  PID:1616
- C:\Windows\SysWOW64\xxhnvvbsildbriq.exe
  xxhnvvbsildbriq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4816
- C:\Windows\SysWOW64\iwjuayxwvx.exe
  iwjuayxwvx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1260
- - C:\Windows\SysWOW64\kfjniofc.exe
    C:\Windows\system32\kfjniofc.exe
    3⤵
    PID:4528
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\iwjuayxwvx.exe

Filesize
46KB

MD5
331c421e2287e36d7a5a74685441ce79

SHA1
5729e544accc5bc41f7f0fa1a7309b6ccded2c4a

SHA256
4b0393d6984d9859663ace3d030404c6fb867ded9a8a8fee8fce776454df76b6

SHA512
b393b37641bbb2a92efcd2560b2837c9055e69d45b084ff030d54492aa527f422b160943a466fc2eaad213b8930e06ed3a06bceb06d83f8fd9e559064f3fec58

Download Submit
C:\Windows\SysWOW64\iwjuayxwvx.exe

Filesize
37KB

MD5
8ec531916ad6ad8780f62c1cf95eaaa2

SHA1
42d5530181b7d58cfa318260062730b9f59f48f7

SHA256
275c69852e2cad5575854edb0ed99cd6592196af165e7415626d748b1e133431

SHA512
d06a62144543e614b77bbc3a355bcecd7d6be30eb89fa412438220af427957830774f9d09a0072e0f8840485db5076289191503855f89ea747368c1b6204238b

Download Submit
C:\Windows\SysWOW64\kfjniofc.exe

Filesize
46KB

MD5
8024b7ed5f7856e754d21cbcf25453e8

SHA1
9635ee9e84ba585cfa769e0673748ba2e16f8a6f

SHA256
40e1293c82a7f1355f751c7357c46d84e9f1d4aad8595743e3d64239602f8bce

SHA512
5c6afb64eddc9ace9dd45c7b01e4129d8fcd70ab04edd6a3fe0213d7d576360561b6b845dd01d8ed5c2d9d7e91081a6521bfc33fa6742b5f73aa90e9832c2c28

Download Submit
C:\Windows\SysWOW64\kfjniofc.exe

Filesize
26KB

MD5
46e45b54345ce315c26c7941b7cb7f7b

SHA1
985076f455a0f265704dc176b04b1a522b073894

SHA256
cd9ad12c2df12b1820c150e2971873622a75ca67f4f1a5cdee15ef8e6747fbe2

SHA512
d56ad63908c623e3974dac8124e947acc00d45d5e8f05a14288b00e1cc892f1cfc82bd784616220f850ce1a0060f51ca746810d647366d3cca7f56052980f125

Download Submit
C:\Windows\SysWOW64\kfjniofc.exe

Filesize
44KB

MD5
6363f166e921e1625eea87421f2ee3fd

SHA1
29b9dd6cfb6efd873599d288e940112e5fdc362b

SHA256
0eb0636ba88b4f8f37f249ed8e5c309f7f7d1ba12b75acf35bbeb58f79e24d73

SHA512
b666a05f34efb1716467e7a09485067872253a425c2edbf737efb3506521ca72ce23e511bb2cbc48dc2596d133e4d792d6c641c1e8324b353382f03bb457caf7

Download Submit
C:\Windows\SysWOW64\xxhnvvbsildbriq.exe

Filesize
63KB

MD5
dc46bf2d7109cd6eb0ab5ce01d598491

SHA1
02b8bb36c8ad813fdfb5fefeffc45f592c8327c4

SHA256
d704166773a9618fbf79d7f6cc4fc572cf5d7f341283451fa18a8ef56bce6d53

SHA512
12e1d63297b2d78bff06069536c9cd64ea007a550c3a77475086695fdb4f0decb54377a1667dd3e28e27d1f487bd7e9a02beec2860d39aee679f705fd79903b5

Download Submit
C:\Windows\SysWOW64\xxhnvvbsildbriq.exe

Filesize
66KB

MD5
703338e3703ec71c96a20cc273740016

SHA1
cb8588ec79bd450f6ef8249f4478c7e80debdac2

SHA256
2c69000086ce6913617c83dc94793a214bd32ddf9d97995be74ac54cb41d583a

SHA512
cc19d54fe3d9f883f4f529448f545a7e31a721d8e53a0cb5978d88c7bec0a1aad603ca4e681403624228ab2ed759ddc0159d0fa4c2c6bedb38c7e29fda7997ff

Download Submit
C:\Windows\SysWOW64\zxfnhyxxtxlqy.exe

Filesize
53KB

MD5
0e770aa94f93a5be2d918fa14595b69f

SHA1
fd87dfbf49127cb8c0805f21746d113a8d1467c4

SHA256
4fcae188e34191eef0235f1a20b66593ada99140aee1e0ed4fce33b76d221b13

SHA512
db6dc586e8b5ff10b35b71f4a04073c0bb70f523769fd0d173be1a1d4a5ce338393b480fc219242a939513a9e6cd2b311982ea77ee9f5c39ea1085a8b9ad7ae7

Download Submit
C:\Windows\SysWOW64\zxfnhyxxtxlqy.exe

Filesize
32KB

MD5
b2b15e9c783efa9ded323fddb3dbecde

SHA1
9a81e871594b6a1c76408cb7e423603b42810134

SHA256
2ad788e53ab353a1446fed3a6d16f36a16bc6cc0ba46371fdf3f0d9579c889ae

SHA512
bcf30bfd953f52cdb4d71649377db4ee3a782f84aaad4c87fea3249f8429dc7b8789566e69f1cef470ef269bda4ab230b3ca8f1e72df802e3b38d28128463271

Download Submit
memory/1260-154-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1260-145-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1616-148-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1616-157-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4528-158-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4528-153-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4680-147-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4680-156-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4816-146-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4816-155-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4932-152-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4932-132-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download