53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
Size

212KB
MD5

07460cdabe3cded3f4589a72bf13deea
SHA1

560c7f3aba7f66cc33782c595a88586526bb8d60
SHA256

53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021
SHA512

72b245d5cc9150769196bbffb8067fd02d210f89775131a503ca716262bbfc59bf97d6c7e92070be34ca44503e2cf88f07ed3e1de0edbe49f84a9ea3587953f4
SSDEEP

6144:Xs8ZSfWInb7CRu4EjMvQYGayMsq5FK6ts/gS0:Xs8Zac0ayMskPbS0

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1896	1.exe
1628	5.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x0008000000005c51-57.dat	upx
behavioral1/files/0x0008000000005c51-60.dat	upx
behavioral1/files/0x0008000000005c51-62.dat	upx
behavioral1/files/0x0008000000005c51-61.dat	upx
behavioral1/files/0x0008000000005c51-63.dat	upx
behavioral1/memory/1896-69-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
1896	1.exe
1896	1.exe
1896	1.exe
1896	1.exe
1628	5.exe
1628	5.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\6.exe	1.exe
File created	C:\Windows\system\5.exe	1.exe
File opened for modification	C:\Windows\system\5.exe	1.exe
File created	C:\Windows\system\1.exe	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
File opened for modification	C:\Windows\system\1.exe	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
File created	C:\Windows\system\6.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	5.exe
1628	5.exe

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe
1628	5.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
Token: SeBackupPrivilege	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
Token: SeRestorePrivilege	1896	1.exe
Token: SeBackupPrivilege	1896	1.exe
Token: SeDebugPrivilege	1628	5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 2016 wrote to memory of 1896	2016	53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe	26
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1896 wrote to memory of 1628	1896	1.exe	27
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 360	1628	5.exe	22
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 384	1628	5.exe	4
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 420	1628	5.exe	3
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 464	1628	5.exe	2
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 480	1628	5.exe	1
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 488	1628	5.exe	21
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 584	1628	5.exe	20
PID 1628 wrote to memory of 664	1628	5.exe	19

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1616
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1244
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:584

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe
  "C:\Users\Admin\AppData\Local\Temp\53dfd190f6be73e6d77dcec1137883c3b15855789e11984d77155a94d5f9d021.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\WINDOWS\system\1.exe
    "C:\WINDOWS\system\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\WINDOWS\system\5.exe
      "C:\WINDOWS\system\5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1628

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
C:\WINDOWS\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
C:\Windows\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
C:\Windows\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
\Windows\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
\Windows\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
\Windows\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
\Windows\system\1.exe

Filesize
185KB

MD5
4645e288bbcfdf811dc809f16fbe8ba9

SHA1
ce9aaee40fab24c2082c333e412ab3bc25133b80

SHA256
c8930d745a7a6f7db264b7cb088f4d1b2ec3eb2ae308c5834bedc5e468bf75b1

SHA512
30718c7ab803c27076f1e24c2278f5eea9036e42713313bc01ec2ad02db206f53ed258c246913fb322984c6b1abff269bd99e1e7ae0fe4f009a527ccc0a01ac0

Download Submit
\Windows\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
\Windows\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
\Windows\system\5.exe

Filesize
114KB

MD5
1666f26018a9b8374a8d720885b8e8c0

SHA1
1fa35785b6043513297eeae96ab431fef9c21a85

SHA256
e3ac62add205edfea215937b060c84206bc79b1cf3ed15278f36b9e6b5cf872d

SHA512
e7b8766ac8c3c8e302bcf6eb907ebdf4af0adb6ca877ff1ad11f7624005917003f9757abcdc321823aa52e2a4fa7bd866f0b172ba2899b60f412e358118e3fe0

Download Submit
memory/1368-77-0x000000007EFB0000-0x000000007EFB6000-memory.dmp

Filesize
24KB

Download
memory/1628-65-0x0000000000000000-mapping.dmp

Download
memory/1628-74-0x00000000002C0000-0x00000000002E1000-memory.dmp

Filesize
132KB

Download
memory/1628-75-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1628-73-0x00000000002C0000-0x00000000002E1000-memory.dmp

Filesize
132KB

Download
memory/1628-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1896-67-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1896-56-0x0000000000000000-mapping.dmp

Download
memory/1896-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download