Overview

overview

10

Static

static

10

0f57756953...e9.exe

windows7-x64

8

0f57756953...e9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    166s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 18:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe

  • Size

    276KB

  • MD5

    0b6c2aa99b919cb214c9ee8b0919f9f5

  • SHA1

    b8282fa0acc8166c6ea48daa251c8d990fcda52c

  • SHA256

    0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9

  • SHA512

    38601a5bb2e57a0e7bc24158d7c3388024b58da912e59a733adc3e824c3b34742b5654c1213175a3c32e6c55aa80ab1848c077eb46a14b2c2a19cf1cb6ae7bf8

  • SSDEEP

    6144:v4ABF94TpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKx:gU1GLE0kuGnESBx

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      PID:1856
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:1536
      • C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe
        "C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
        • C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe
          "C:\Users\Admin\AppData\Local\Temp\0f5775695352815e9bd7bbaa654ae9f2c0396653c328fd548aed3d687b96bfe9.exe"
          3⤵
            PID:112
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1272

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                Filesize

                222KB

                MD5

                365b9b7e90c7ebc9490c88137661b834

                SHA1

                c2b04ada0d539a54549f3ed04653ff27b8038403

                SHA256

                de53b0a3f6a75493a1b505b84e54e08e13c3ec28f99443965711391bcecfff00

                SHA512

                347a548a6e2f2f68171d5bbbbcb3f453a8ce23cd30e44aa0b71f577b8b5e5038439cd0fc18d89abdf6746308d48625925f1d975524e598340314a6c1f3980c88

                Download Submit

              • memory/308-56-0x0000000010410000-0x0000000010471000-memory.dmp

                Filesize

                388KB

                Download

              • memory/308-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

                Filesize

                8KB

                Download

              • memory/308-65-0x0000000010480000-0x00000000104E1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/308-74-0x00000000104F0000-0x0000000010551000-memory.dmp

                Filesize

                388KB

                Download

              • memory/308-80-0x0000000010560000-0x00000000105C1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1272-59-0x0000000010410000-0x0000000010471000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1508-85-0x0000000010560000-0x00000000105C1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1508-89-0x0000000010560000-0x00000000105C1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1508-86-0x0000000010560000-0x00000000105C1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1856-64-0x0000000074751000-0x0000000074753000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1856-72-0x0000000010480000-0x00000000104E1000-memory.dmp

                Filesize

                388KB

                Download

              • memory/1856-70-0x0000000010480000-0x00000000104E1000-memory.dmp

                Filesize

                388KB

                Download