Overview

overview

10

Static

static

8

ec6add0059...70.exe

windows7-x64

10

ec6add0059...70.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    3s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec6add005982cd1c9c18d605f73d6fd1c7f9473c0b22e4ddc2f18314f6497c70.exe

  • Size

    255KB

  • MD5

    91a0eff743584b12bd2cfa94d2a46516

  • SHA1

    95d102de6d9c5ebcb8e06fddb0af8c746e36a643

  • SHA256

    ec6add005982cd1c9c18d605f73d6fd1c7f9473c0b22e4ddc2f18314f6497c70

  • SHA512

    2e517bbfb462bf17d38bbc2ed94fb1428666fba872e425331188df38e48d3bb63e75c24b3a61ccc4a1fb14f7632a0b93e3f41c3a3a6e22458e01b366d8fd6cac

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJS:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIb

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec6add005982cd1c9c18d605f73d6fd1c7f9473c0b22e4ddc2f18314f6497c70.exe
    "C:\Users\Admin\AppData\Local\Temp\ec6add005982cd1c9c18d605f73d6fd1c7f9473c0b22e4ddc2f18314f6497c70.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\exucxkdqfa.exe
      exucxkdqfa.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Modifies WinLogon
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1480
      • C:\Windows\SysWOW64\cylujeai.exe
        C:\Windows\system32\cylujeai.exe
        3⤵
          PID:1992
      • C:\Windows\SysWOW64\vsfsuxbjjzptk.exe
        vsfsuxbjjzptk.exe
        2⤵
          PID:1716
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
          2⤵
            PID:1828
          • C:\Windows\SysWOW64\cylujeai.exe
            cylujeai.exe
            2⤵
            • Executes dropped EXE
            PID:2012
          • C:\Windows\SysWOW64\gdtqwtqdxqzzlca.exe
            gdtqwtqdxqzzlca.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2000
        • C:\Windows\SysWOW64\vsfsuxbjjzptk.exe
          vsfsuxbjjzptk.exe
          1⤵
            PID:552
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c vsfsuxbjjzptk.exe
            1⤵
              PID:1984

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\InstallApprove.doc.exe
              Filesize

              52KB

              MD5

              4cef03bbb0ecdb4190ad818d8d8430b7

              SHA1

              8a8cccea3fc5f0a16f2859bab4576716f4a71388

              SHA256

              7b4abd5f54cf66e3f51578a4a11a8d9a0dbf45d6822e9e08bdc94f755f8b028e

              SHA512

              3d800555a66658659772e2393e2082de0ff297b733f4ff30e159a5ebf601cfb417e469a5cd4ca7aed2169ab5dee25c7d28bd89d6d1bf644cb3464466a9b9edc1

              Download Submit

            • C:\Windows\SysWOW64\cylujeai.exe
              Filesize

              47KB

              MD5

              d173eb64e21513c87df6b58a8d744280

              SHA1

              4ad1e056f008871ab45123561e7f5e4581bac229

              SHA256

              fa169f6050459356afa741ca7608aed0054f61eca872d755fe2c1d40ee5daac0

              SHA512

              afa6ef758823c8efc774ba65cf06327ff50b63b598fbe8c2424a50a8c356a7cc886d48f2f675ea4efce7b748be065cd8afbe35c78133740fff3b00372fa91693

              Download Submit

            • C:\Windows\SysWOW64\cylujeai.exe
              Filesize

              53KB

              MD5

              b50f8260fbb146cd552c13d1029e11e1

              SHA1

              baee0b3ff6f9ed02f40ced9deaf0569e9d4dbfc8

              SHA256

              129930e8785a5bd4751f107f20ebeaee53fac97a054d3998192c9cd9b20530f9

              SHA512

              cf080a4efac709e6e90e4fd4933790dec85eb8b90f3d4239f2cf75e51b90250e9d1260755f799e9a339435c106a72252532181bf0a018222f3af8923340b6d2e

              Download Submit

            • C:\Windows\SysWOW64\cylujeai.exe
              Filesize

              93KB

              MD5

              f784c2a69ba40a86b3022b3849be43a0

              SHA1

              12f0edefadfac0a6103e5439b493ecdcc1bc563b

              SHA256

              d342c87f7e129d9802cee7017cc379d6e179836a2f2d47a01b8d47586a1e1b63

              SHA512

              5467663970165623b305263b040a6aed67de27090d00f2ca0d2ea1b873823dcf925c3d20bdda2840ac48ace56c2f3436edd965d7ff556141081ae398fe21ffdd

              Download Submit

            • C:\Windows\SysWOW64\exucxkdqfa.exe
              Filesize

              44KB

              MD5

              5c82e091a801cf1348f66b12f1ff0397

              SHA1

              410115026b06cc6b856a990168788043b6314d55

              SHA256

              eee284e01875354645985390ad62dd3f38e868c3f39de2a134c17d7c87f9bec7

              SHA512

              b0e7db9de86542657b1f4b2252d8fd5450292deccfd5b7ed5071dba112f264ac2fda458d03e93704179133cf81755d7a70db2b009035a0df7db151d614152137

              Download Submit

            • C:\Windows\SysWOW64\exucxkdqfa.exe
              Filesize

              48KB

              MD5

              7682a55a3e8b7406d9285659ce040830

              SHA1

              9f11aaba1b009c6bfc9cc53fc678c2c105dd7ad3

              SHA256

              f7a2c0ee4560b12cbb0170add3ff4b154ce52af1de2fe4564d5a90ea62b59682

              SHA512

              95642e88167f18ad0dce8fb7d0589abd1a36b44c6a665ab3e092147b3902af30c9255ea1d4df18f2f187893a31fe3e93d8908ca29d4110febfbfff6013c484aa

              Download Submit

            • C:\Windows\SysWOW64\gdtqwtqdxqzzlca.exe
              Filesize

              99KB

              MD5

              0a12349cff0427d05fa4a7022df43cd7

              SHA1

              2c77e96fa40679da4be85e6ca44d2bda0e429a84

              SHA256

              2f9165ff4c6896671462a82d2a78d39a69ecbf99b131c4e8c7a6231c47e5e056

              SHA512

              4656595440d39af856992e6e06c7ca2d53390c8f78e1e905b2869c9b15312e4f31c4c66dba6a2d167617e3826788259710bc36b724a2333448796f37e705c6cc

              Download Submit

            • C:\Windows\SysWOW64\gdtqwtqdxqzzlca.exe
              Filesize

              49KB

              MD5

              d4a7ec8302fa4020f6695d61803e5a86

              SHA1

              e55b0ccba8979d33a9126d1e943d1da0ddc9cdcd

              SHA256

              7df847af1f34b7c9d38ab9b46ba91105362c0362b886e11c7e294e0df95fa451

              SHA512

              df37e90eb4d9416294ab747bb764e1e718734c4111a916b8b66dc4bd0b47839e7306b582e4cef79b67b03fb03b227f76358f4bef00689694146473172e78c290

              Download Submit

            • C:\Windows\SysWOW64\vsfsuxbjjzptk.exe
              Filesize

              106KB

              MD5

              37efe75bbcef18b96b19a3b1f912c96e

              SHA1

              3a5680c91525787767b6e604db1f6e349e932a6a

              SHA256

              83032e8c69ac00e63bdab2f60b4daf6d1278ddad63f6e0b743d26f6b566d86e4

              SHA512

              cca751f336c70ef08c2859445942291a5fe409aab9e055ac50a06138637871335748e5a6d0fa7e73c6975cff145a3549df5d71eccc7abc355847c170846ab0c2

              Download Submit

            • C:\Windows\SysWOW64\vsfsuxbjjzptk.exe
              Filesize

              125KB

              MD5

              b6df05457ff15380210fc8817336c776

              SHA1

              e6d97631f9da1995f0e1566ec429fdd1643a3a17

              SHA256

              e1d3539012fb6b4a8bda6010b6531bc88238cb765f2c347c5cb5b47de8eb570b

              SHA512

              8bddbfa5e25451f4d4bc9a9a978e2daa4e735338077e5f37b9addf1fdc358d125622e3e59e89b55de2b75ac775b159c7c810cba1b3efb811f9d9c9b706f103f2

              Download Submit

            • C:\Windows\SysWOW64\vsfsuxbjjzptk.exe
              Filesize

              62KB

              MD5

              7efe03bc8c4af5a35d88b3efb9dca86c

              SHA1

              41da90e0040c22a589bef7bec80bb684ca848aaf

              SHA256

              2265367439bf07012f1b1ad0c91219f834f790b63d6b3f66fe549ce13e92f19e

              SHA512

              05d7cb98235b4736be9a359bed752132e3dfd5dd01e508453e0bee0c84026a961f61898710f4a384c4b1e2806d09563428f04d3679474699f9aee60d67c7987d

              Download Submit

            • C:\Windows\mydoc.rtf
              Filesize

              223B

              MD5

              06604e5941c126e2e7be02c5cd9f62ec

              SHA1

              4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

              SHA256

              85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

              SHA512

              803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

              Download Submit

            • \Windows\SysWOW64\cylujeai.exe
              Filesize

              68KB

              MD5

              685406068b312607b8426a3d35cc1809

              SHA1

              678b2e97743c500dad78e1fdfeadf8158551a0e4

              SHA256

              97c6686fdff401f6629a4e69259694519e9bd265d7655ce9661f23755988abd7

              SHA512

              18455536c095f1f690a130767b41ee783f539edccb20776b4e5814e36cc0927137637f0a4d8c18827faec9ec25551ada030067b226f99ee4cd02d87b9f0e9be6

              Download Submit

            • \Windows\SysWOW64\cylujeai.exe
              Filesize

              106KB

              MD5

              f1ddd192d3119d7cc5c87962c6165ada

              SHA1

              5d8203790f4c26d0edf21b4db97d29ab88054300

              SHA256

              bacab8d6d58a42792055762905768d8fd7387ef5880c22172db1a16f4acadb6a

              SHA512

              0ffb64facfdcdeb5e2e677c261efb59af66efde45f0604ae54ae5a9559cb6ca2a726596d4f84678cae69466e5516350301b1852cf6b4c74879476463aa6a4fd7

              Download Submit

            • \Windows\SysWOW64\exucxkdqfa.exe
              Filesize

              80KB

              MD5

              4db7541346dee5a43840cf1ced6fb19a

              SHA1

              670e73e0103dc4831682f5920f97216e4e5342aa

              SHA256

              8563f4c92547f57b8eb97661c6ea1ad44284714a466dcf6c69a5e8a6cd2d57d9

              SHA512

              9156e6ad09bb11a5488459c5c9a4e516ed13b017677c6fcc340ff4d56cf22931b516f18752ace49910bfda1b3c01da2ff36378525956b863813557ebba965c87

              Download Submit

            • \Windows\SysWOW64\gdtqwtqdxqzzlca.exe
              Filesize

              69KB

              MD5

              81572998bcd2cd117502840e58ca4fe3

              SHA1

              ef357f651bd8c7e269d9f2a55eb0af34745fb566

              SHA256

              42f31bc2f71c62177b304be076c1b31d7cc706dded1426cf7324e8ab6a15073a

              SHA512

              72254d797b1a47b8cfe2a762de6dece7b4ab744f6db59e945e05fc1ebdd20f2aa688ba6b11c736d40183d39b02a121d69e5fee646e3a38da055197eed45f1e31

              Download Submit

            • \Windows\SysWOW64\vsfsuxbjjzptk.exe
              Filesize

              54KB

              MD5

              5533abf5a7944801a3354928184efa24

              SHA1

              77674627b92301b298cf1b5f7bd7819af942119c

              SHA256

              0ff6a6e9963a39bb94529f491dd9dc75b8cae88a04262de5cd996c5b90f6db7f

              SHA512

              f9c0919391861aeb4a38e4f54073dc9b90d312f9147ea5487980feae52fcab4c601acede4e4fdbd3c5ae47c2842867b8e217c8217f3b256a2a0b10c65a96ea4d

              Download Submit

            • \Windows\SysWOW64\vsfsuxbjjzptk.exe
              Filesize

              57KB

              MD5

              aa2f353d51fc2de4b9fef4f8d4c826d5

              SHA1

              4731e4cb43a5e503a309f1d5d1aab528fcffa2ae

              SHA256

              8c2be5e5e130151d5057c3e38b4cf105043b87b3e02205b5444c02abd8b70097

              SHA512

              b893b03a37cdd5f4ea202447b7f756e2d68e76a14c33865235b5c9757f4165bee0b017d51d450f52caa13af310d3b1e263623a385e2317d0466d4652e96fa348

              Download Submit

            • memory/552-91-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/552-106-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/968-81-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/968-54-0x0000000076831000-0x0000000076833000-memory.dmp

              Filesize

              8KB

              Download

            • memory/968-94-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/968-85-0x0000000002210000-0x00000000022B0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1480-86-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1480-102-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1716-105-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1716-89-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1828-95-0x0000000072FD1000-0x0000000072FD4000-memory.dmp

              Filesize

              12KB

              Download

            • memory/1828-101-0x0000000071A3D000-0x0000000071A48000-memory.dmp

              Filesize

              44KB

              Download

            • memory/1828-96-0x0000000070A51000-0x0000000070A53000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1828-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1984-90-0x00000000007B0000-0x0000000000850000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1992-98-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/1992-107-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/2000-87-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/2000-103-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/2012-88-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download

            • memory/2012-104-0x0000000000400000-0x00000000004A0000-memory.dmp

              Filesize

              640KB

              Download