Overview

overview

8

Static

static

8

caae72a918...3b.exe

windows7-x64

8

caae72a918...3b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe

  • Size

    419KB

  • MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

  • SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

  • SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

  • SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

  • SSDEEP

    12288:1g2MA3Mw3Ewq/4QhSQTS7jb90EFwDviaPAm:F33v3EwVQmykqiaPP

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe
    "C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe" "del" C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Drops startup file
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:516

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System.exe.ini
    Filesize

    11B

    MD5

    301a3e5a5c08c60b2952122a97e1a838

    SHA1

    c85da2ebd9e1098eed686b8c74016bee728bb942

    SHA256

    89886e624db56b7f7e7a0a857fc7e63ebfffe9eb69b329489b79dd0a3e24f7fa

    SHA512

    ce1dcdad347d6c8e6a798b915f8a8d8ac1be4851c0064ab62e80aa85103a472f402b688e94950099a812db1134917fe9d51a7dfa0504e0174e94acdad8ee34d9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • \Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • \Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • \Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    419KB

    MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

    SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

    SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

    SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

    Download Submit

  • memory/1224-66-0x0000000000960000-0x0000000000A4D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1224-69-0x0000000000960000-0x0000000000A4D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1752-63-0x0000000001380000-0x000000000146D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1752-55-0x0000000001380000-0x000000000146D000-memory.dmp

    Filesize

    948KB

    Download