e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
Size

344KB
MD5

246f863339661fec85869da29d2b2878
SHA1

85f109292353baaadfdbea500b469258faf0b8f3
SHA256

e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66
SHA512

2d99b4423885517ad97a37d733d615faa0fe327137e84ea8c72b64b7618d3ee4938313cb622f2a10a37bab318365786bce95659b0c9c2c9ecf3af93245e5d9c3
SSDEEP

6144:yuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL3ks3ih1XGWp:Z6Wq4aaE6KwyF5L0Y2D1PqLF3c20

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4840	commander.exe
3748	commander.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2472-132-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2472-139-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2472-139-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\commander.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
File opened for modification	C:\Windows\svhost.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4840	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	82
PID 2472 wrote to memory of 4840	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	82
PID 2472 wrote to memory of 4840	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	82
PID 4840 wrote to memory of 2080	4840	commander.exe	84
PID 4840 wrote to memory of 2080	4840	commander.exe	84
PID 4840 wrote to memory of 2080	4840	commander.exe	84
PID 2472 wrote to memory of 3748	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	85
PID 2472 wrote to memory of 3748	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	85
PID 2472 wrote to memory of 3748	2472	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	85
PID 3748 wrote to memory of 4848	3748	commander.exe	87
PID 3748 wrote to memory of 4848	3748	commander.exe	87
PID 3748 wrote to memory of 4848	3748	commander.exe	87

C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
"C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:2080
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
8e18f2878034e5ed4f901524fbc22a7a

SHA1
165f57f6020c082ee4f88b6f076ff843298610b5

SHA256
dbe0d19a044651b99208cc26207a1e72d118ada977b561e598ab94b3304fd643

SHA512
3d3a1a4d8a75bb4306ed00915a74c55f0231f637c6d49f788feb1e45c383d729b8f63809e7c0c42b656f5d7ab20b9330a888eefa003c5cfb62b2c0677dce9e49

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
231KB

MD5
8e18f2878034e5ed4f901524fbc22a7a

SHA1
165f57f6020c082ee4f88b6f076ff843298610b5

SHA256
dbe0d19a044651b99208cc26207a1e72d118ada977b561e598ab94b3304fd643

SHA512
3d3a1a4d8a75bb4306ed00915a74c55f0231f637c6d49f788feb1e45c383d729b8f63809e7c0c42b656f5d7ab20b9330a888eefa003c5cfb62b2c0677dce9e49

Download Submit
memory/2472-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2472-139-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download