Analysis

  • max time kernel
    60s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2022, 22:53

General

  • Target

    226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

  • Size

    4.1MB

  • MD5

    5399ff9c8181e7600a5d20b9521f8ef6

  • SHA1

    2956df5c6bdab3e9c6bf2f17f6712943d2c4533a

  • SHA256

    226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54

  • SHA512

    d4ab3b67dcf604eda4b948643e6a3c10b56372e1a8ef74fd5e567c04a01de979ff505c2b2cb3b882b50ccb88e31b613a3207b10468e4016f2f78fa4f9737e88b

  • SSDEEP

    98304:Xl4CN9s4aaJ6JiTzYOtN1yMRH74VGjbDoLoq+SXfSX:Vh5JqiTzL1yMPq/XfSX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
    "C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
      C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1420
    • C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
      2001 5399FF9C8181E7600A5D20B9521F8EF6 84
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
        C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Users\Admin\AppData\Local\Temp\eYE5FB0jlh.dat
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EYE5FB~1.EXE >> NUL
          4⤵
            PID:1276
        • C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
          C:\Users\Admin\AppData\Local\Temp\ZS3Hh2uG.sys
          3⤵
          • Executes dropped EXE
          • Sets service image path in registry
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\TLYCAG~1.EXE >> NUL
            4⤵
              PID:572
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLHLVV~1 >> NUL
            3⤵
              PID:1148

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                Filesize

                2KB

                MD5

                1a295f69dfd5c6f54042f8bc5b31a6af

                SHA1

                d2b64e2902114ce584f382cbd78b06354b6b14f7

                SHA256

                b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55

                SHA512

                3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA

                Filesize

                472B

                MD5

                83343201c58ce331a5de9b207a0542a7

                SHA1

                678743995d807544cebfbf82d534094f8c356231

                SHA256

                27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115

                SHA512

                ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                61KB

                MD5

                3dcf580a93972319e82cafbc047d34d5

                SHA1

                8528d2a1363e5de77dc3b1142850e51ead0f4b6b

                SHA256

                40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

                SHA512

                98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                Filesize

                1KB

                MD5

                136889ac23008bfdfefb91c9e5d8a11d

                SHA1

                8343b8ef34dc565eda256e042b43064cb8017131

                SHA256

                35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5

                SHA512

                b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                Filesize

                488B

                MD5

                2867ce7d2d7815a64513046b43651098

                SHA1

                14abccac4b083847bd45b75b2f961658ce102581

                SHA256

                01edfade18de3223ee71523c90bb063b51b5a06ded7532bad52d1062ec0ab3b3

                SHA512

                33bc9242ce7f7a6014fc7874b8ee32ac94f92ee3294b503531b0a21102180f6de3133038e43e512666efa95d326c2b6e8a83a7b0a1ef6755bc888dd0a3304ac6

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA

                Filesize

                476B

                MD5

                bf590d9a3e929861d2533ff2b328fe40

                SHA1

                bb59528c458e7c19dbdfd9dac15a8767e7b24964

                SHA256

                c751a6ab02852b445e2db9e74cc6fc41e131b40c96a961b2a8bd56232476efd0

                SHA512

                2f4c23130ba5d264a1f81c7ba76ed9bb9f62a4bea6a4bdd3a660110ce25ccb7eabd72509fcc8f02aceb94701c7ecc93fcf80dce278e22ed7d9f60842f1cf73a5

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                e740351645128f3ee51f973ab6fea4ed

                SHA1

                f7fcad0f25466ba74189bb26b4b3dbcfac91673c

                SHA256

                79e719147509da5692a81bd47f79fa641df1ca4fd6da17ad843f9a1f627ce820

                SHA512

                646f47069f063da0d162b0436db60df8abf8f78848a34f8aa3414f7d33f18917ec3e947856aab371cc130c85bddc9179f34f7dd19b99a60d1e9aaefc7a28a82b

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                Filesize

                482B

                MD5

                82b7eab0fbc3065bb0ae647388fc9fe7

                SHA1

                12163d31764664fc87b76e6a5cda91cd7d747cf4

                SHA256

                3500c638861a2749bf5a498a0d2d59b555e628ac4098d5ff5326b9a5ffd2c579

                SHA512

                6251943e9e7aca115ccb96e2205894cde8391835bab5ff6f1960b4075c8dee25e732e57e6b4f5204733a9bc7d7a6d6ec5ce3ade23c67f10c2159b00041a0d97d

              • C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe

                Filesize

                102KB

                MD5

                4c839dc7014281acda2456d611ac73b7

                SHA1

                13073f7b2d0ce49143d021cec9d863c0597a6f3e

                SHA256

                188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e

                SHA512

                9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

              • C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

                Filesize

                77KB

                MD5

                cd3f1df2d4a06ac82cd816bc799dd65e

                SHA1

                a77c7aa9b4857d0ec504403528e2cfe625b6bc83

                SHA256

                ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce

                SHA512

                60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

              • C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

                Filesize

                77KB

                MD5

                cd3f1df2d4a06ac82cd816bc799dd65e

                SHA1

                a77c7aa9b4857d0ec504403528e2cfe625b6bc83

                SHA256

                ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce

                SHA512

                60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

              • C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT

                Filesize

                201KB

                MD5

                f79f5ce86c81d6b0edb45a4a92c572af

                SHA1

                4f8fe0760f075c60831513637935049c697d9725

                SHA256

                d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317

                SHA512

                0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

              • C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT

                Filesize

                201KB

                MD5

                f79f5ce86c81d6b0edb45a4a92c572af

                SHA1

                4f8fe0760f075c60831513637935049c697d9725

                SHA256

                d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317

                SHA512

                0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

              • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • \Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe

                Filesize

                102KB

                MD5

                4c839dc7014281acda2456d611ac73b7

                SHA1

                13073f7b2d0ce49143d021cec9d863c0597a6f3e

                SHA256

                188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e

                SHA512

                9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

              • \Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

                Filesize

                77KB

                MD5

                cd3f1df2d4a06ac82cd816bc799dd65e

                SHA1

                a77c7aa9b4857d0ec504403528e2cfe625b6bc83

                SHA256

                ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce

                SHA512

                60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

              • \Users\Admin\AppData\Local\Temp\jlhLVVvnT

                Filesize

                201KB

                MD5

                f79f5ce86c81d6b0edb45a4a92c572af

                SHA1

                4f8fe0760f075c60831513637935049c697d9725

                SHA256

                d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317

                SHA512

                0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

              • \Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • \Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

                Filesize

                4.0MB

                MD5

                48eed6e83346784e2213509f4892c0b7

                SHA1

                d9016ac27e6b370f75b0a6b25c9978c78be1b792

                SHA256

                d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05

                SHA512

                0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

              • memory/1340-69-0x0000000000A60000-0x0000000000AAD000-memory.dmp

                Filesize

                308KB

              • memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

                Filesize

                8KB

              • memory/1340-55-0x0000000001190000-0x00000000019D8000-memory.dmp

                Filesize

                8.3MB

              • memory/1340-76-0x0000000001120000-0x0000000001177000-memory.dmp

                Filesize

                348KB

              • memory/1340-109-0x0000000001190000-0x00000000019D8000-memory.dmp

                Filesize

                8.3MB

              • memory/1340-106-0x0000000001120000-0x0000000001177000-memory.dmp

                Filesize

                348KB

              • memory/1340-70-0x0000000000A60000-0x0000000000AAD000-memory.dmp

                Filesize

                308KB

              • memory/1340-105-0x0000000000A60000-0x0000000000AAD000-memory.dmp

                Filesize

                308KB

              • memory/1340-61-0x00000000045D0000-0x0000000004DB7000-memory.dmp

                Filesize

                7.9MB

              • memory/1340-62-0x00000000045D0000-0x0000000004DB7000-memory.dmp

                Filesize

                7.9MB

              • memory/1340-97-0x0000000001190000-0x00000000019D8000-memory.dmp

                Filesize

                8.3MB

              • memory/1420-64-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/1420-67-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/1420-66-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/1420-65-0x0000000000220000-0x0000000000223000-memory.dmp

                Filesize

                12KB

              • memory/1420-104-0x0000000000400000-0x0000000000BE7000-memory.dmp

                Filesize

                7.9MB

              • memory/1468-103-0x000000013FE20000-0x000000013FE57000-memory.dmp

                Filesize

                220KB

              • memory/1468-101-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

                Filesize

                8KB

              • memory/1896-78-0x0000000000230000-0x0000000000255000-memory.dmp

                Filesize

                148KB

              • memory/1896-88-0x0000000003270000-0x00000000032C3000-memory.dmp

                Filesize

                332KB

              • memory/1896-89-0x0000000003590000-0x00000000035F9000-memory.dmp

                Filesize

                420KB

              • memory/1896-87-0x0000000003270000-0x00000000032C3000-memory.dmp

                Filesize

                332KB

              • memory/1896-107-0x0000000000230000-0x0000000000255000-memory.dmp

                Filesize

                148KB

              • memory/1896-108-0x0000000003270000-0x00000000032C3000-memory.dmp

                Filesize

                332KB

              • memory/1896-74-0x0000000000230000-0x0000000000255000-memory.dmp

                Filesize

                148KB

              • memory/1896-110-0x0000000003590000-0x00000000035F9000-memory.dmp

                Filesize

                420KB

              • memory/1896-90-0x0000000003590000-0x00000000035F9000-memory.dmp

                Filesize

                420KB

              • memory/1896-112-0x0000000000400000-0x0000000000457000-memory.dmp

                Filesize

                348KB

              • memory/1896-77-0x0000000000400000-0x0000000000457000-memory.dmp

                Filesize

                348KB