a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6

Analysis

max time kernel
146s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe
Size

279KB
MD5

06d2c663301af4b8e9c3179e52bb4f25
SHA1

1eb3995e7034fe83f4a4941aaa4b9c703021392b
SHA256

a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6
SHA512

673bb2fc511f487ba908a628bdb8cd65c8d03a4ef0384baf339bc73534e8ad8d910cd57aafead44add24fa10bdd6ca78027566c15abce1475fc48ba9c47dcb0c
SSDEEP

6144:y9k1/S4wM3e34Pl7UyZtnl72LiMNCUyZtnQF4ao:8k1/SPMdljtnl4igwtnQFjo

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
480	svchost.exe
4676	ATF-Cleaner.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e49-137.dat	upx
behavioral2/files/0x0006000000022e49-135.dat	upx
behavioral2/memory/4676-140-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
480	svchost.exe
480	svchost.exe
480	svchost.exe
480	svchost.exe
480	svchost.exe
480	svchost.exe
480	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\messenger.exe = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Components\\messenger.exe"	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\messenger.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\messenger.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022e47-133.dat	nsis_installer_1
behavioral2/files/0x0007000000022e47-133.dat	nsis_installer_2
behavioral2/files/0x0007000000022e47-136.dat	nsis_installer_1
behavioral2/files/0x0007000000022e47-136.dat	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
480	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4676	ATF-Cleaner.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 480	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	79
PID 1448 wrote to memory of 480	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	79
PID 1448 wrote to memory of 480	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	79
PID 1448 wrote to memory of 4676	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	80
PID 1448 wrote to memory of 4676	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	80
PID 1448 wrote to memory of 4676	1448	a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe	80

C:\Users\Admin\AppData\Local\Temp\a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe
"C:\Users\Admin\AppData\Local\Temp\a47998c5c44b4551b1e4969bcc39f72e1eef62f4f87409c01850dfcf40f76ff6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:480
- C:\Users\Admin\AppData\Local\Temp\ATF-Cleaner.exe
  C:\Users\Admin\AppData\Local\Temp\ATF-Cleaner.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ATF-Cleaner.exe

Filesize
49KB

MD5
d9de89f0faf18019bc9595f0f47bca61

SHA1
7a044dfe1c5e780f3f2b52b3bd066e463a37886e

SHA256
e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a

SHA512
236d2908eb66bf50e4645e9f1d1b6bf8f276d7d3648625c84c5fe1fed5c7a8e69383515201a6ba92804f5fa2ee2f63fcb73f32b6932990ab8d43750edcc4768e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATF-Cleaner.exe

Filesize
49KB

MD5
d9de89f0faf18019bc9595f0f47bca61

SHA1
7a044dfe1c5e780f3f2b52b3bd066e463a37886e

SHA256
e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a

SHA512
236d2908eb66bf50e4645e9f1d1b6bf8f276d7d3648625c84c5fe1fed5c7a8e69383515201a6ba92804f5fa2ee2f63fcb73f32b6932990ab8d43750edcc4768e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISArray.dll

Filesize
19KB

MD5
14b848866035dea39b912da628307231

SHA1
d00c8963aee8038d8a22f098cef69b31007196e5

SHA256
6a129a9eefae85a9412e889e0c74fdaa21d20254fa13cacef5429885775017dc

SHA512
4538058426c742bf7d823d1cac5303eeff8bf0b524459262181ac79695eead705e7590ae63ce996b8e3afd9a6c8d1fec503f9a11772ebe5c5c4e01930ed97b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF61E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
168KB

MD5
a589909b706cb56ed100b34cd1eaba8f

SHA1
62f691d8ee9e68eb9ec4b1f5f81d2ac6d2329224

SHA256
53ad4387cc26ef8669004e1599b06a88218a47b8d627027466f73fb0aa891a88

SHA512
71df9e55e6eca7adea93abcc013ed1bd13e804cf54cb48f75da7ee162ad0331af7c86b658ed8a9f09b42ca55d14c29185ec8478424be31596c8a95fc8a268f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
168KB

MD5
a589909b706cb56ed100b34cd1eaba8f

SHA1
62f691d8ee9e68eb9ec4b1f5f81d2ac6d2329224

SHA256
53ad4387cc26ef8669004e1599b06a88218a47b8d627027466f73fb0aa891a88

SHA512
71df9e55e6eca7adea93abcc013ed1bd13e804cf54cb48f75da7ee162ad0331af7c86b658ed8a9f09b42ca55d14c29185ec8478424be31596c8a95fc8a268f31

Download Submit
memory/480-144-0x0000000005681000-0x0000000005684000-memory.dmp

Filesize
12KB

Download
memory/480-147-0x0000000002BC1000-0x0000000002BC4000-memory.dmp

Filesize
12KB

Download
memory/4676-140-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download