Overview

overview

8

Static

static

8

02e56f7329...4e.exe

windows7-x64

8

02e56f7329...4e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e56f732971addf1953fd87dcc3dbdabcda6b867898e353800719db6fad424e.exe

  • Size

    643KB

  • MD5

    387e1800d3c25a911ba9977fcb2bb4d0

  • SHA1

    4b6d75e68cc155515892d1a14615e6125dc4f7a3

  • SHA256

    02e56f732971addf1953fd87dcc3dbdabcda6b867898e353800719db6fad424e

  • SHA512

    f8403d37caaa850a03841b687e7609ed89832588cd265f6581bd5db7cf94a13189c3f762322f20cd54147bbaeaf6952fdfc3f91a2c0ba403b721ec3591b2e245

  • SSDEEP

    12288:9m3UCDwIsIB3/ZgT0oqgBqsTz61NNiB0nXRYpE56iXRwXgRM8+Ux6yKl7gb2XQbG:9m3UCEE9/ZgT0DsTzHByWpnieXgRM8dy

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 24 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e56f732971addf1953fd87dcc3dbdabcda6b867898e353800719db6fad424e.exe
    "C:\Users\Admin\AppData\Local\Temp\02e56f732971addf1953fd87dcc3dbdabcda6b867898e353800719db6fad424e.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\system32\drivers\etc\svchost.exe
      "C:\Windows\system32\drivers\etc\svchost.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\System32\drivers\etc\x.exe
        "C:\Windows\System32\drivers\etc\x.exe" mIRC
        3⤵
        • Executes dropped EXE
        PID:4904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\drivers\etc\reg.dll
    Filesize

    84KB

    MD5

    8650e5a54f7df9d47b7fa8c5236eccba

    SHA1

    7493e00f932b39edd35fccb25a75b4b41e2f5009

    SHA256

    4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

    SHA512

    2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

    Download Submit

  • C:\Windows\System32\drivers\etc\svchost.exe
    Filesize

    496KB

    MD5

    dd6dab5797b43d121af479e22ca82f23

    SHA1

    c8a1272a3ab60958ce8635a7bdd9757ec729961f

    SHA256

    eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

    SHA512

    058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

    Download Submit

  • C:\Windows\System32\drivers\etc\x.exe
    Filesize

    22KB

    MD5

    ad335b0089e0237487b54ccd56a0c889

    SHA1

    e73ea38359a3634b470808f5b71703d38c596337

    SHA256

    97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

    SHA512

    7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

    Download Submit

  • C:\Windows\System32\drivers\etc\x.exe
    Filesize

    22KB

    MD5

    ad335b0089e0237487b54ccd56a0c889

    SHA1

    e73ea38359a3634b470808f5b71703d38c596337

    SHA256

    97fc1f5adb202b78bf10a6989209a99691b475e37d8e7cada20341cce7a2802b

    SHA512

    7615b8d70bac4f5af6b9034154ecbe71f4b103418e044e104278ed33fba47a64457938de332cacefda5b69060c569ad4315887a786f36592800551bffaefd75c

    Download Submit

  • C:\Windows\system32\drivers\etc\svchost.exe
    Filesize

    496KB

    MD5

    dd6dab5797b43d121af479e22ca82f23

    SHA1

    c8a1272a3ab60958ce8635a7bdd9757ec729961f

    SHA256

    eb7ef5cce7f820fa1b7f64abe70f61f4367e462a9aaed28f166f89456e6ac75e

    SHA512

    058c69b8fb33e34700b9d72aff1898cc66c7062e76d37048a073b61f76e6019ef31895f34bf4cdd20d347f4e419b34e01f845df78f006fb9ea5105c2d790c3ca

    Download Submit

  • \??\c:\windows\system32\drivers\etc\id.exe
    Filesize

    163B

    MD5

    fd05e61c297c93bb27149d4146708fa2

    SHA1

    5ee9af516aea205a6a9b5e9049a28803c6452cd9

    SHA256

    8b6bb44b01f5a96cc1ff5cd752ef37c3363061c318e5b55435a2ecc4d02eb6c4

    SHA512

    02e490a2f8a2aa1d3158ddefe4743048c616e71fb911419145dc40998beb9db071a2eb78dcbfafe202a067464ca97b89c8dbdcd48644272191adea71c6b44593

    Download Submit

  • \??\c:\windows\system32\drivers\etc\mirc.ini
    Filesize

    2KB

    MD5

    916092a04acb4809471b89b80c90b758

    SHA1

    747a5a491054bfbac36ff6316664f1f22db9dbf0

    SHA256

    6172d8b118dc7700b915d19a6dfa9b7c2523d917f83276bd61747f4389bb04d3

    SHA512

    13ed58884758b3cf0a08ed59f71b68d3321db049db701d032ef4a50dd1d6639282517033ff74d51dfcdae86244c3effab9d68499c5b28f5a886298cb0787213d

    Download Submit

  • \??\c:\windows\system32\drivers\etc\reg.dll
    Filesize

    84KB

    MD5

    8650e5a54f7df9d47b7fa8c5236eccba

    SHA1

    7493e00f932b39edd35fccb25a75b4b41e2f5009

    SHA256

    4a4532f7b9cff5115fafa2489286b12a0e98850edf56d62daea85bb1d3f604e5

    SHA512

    2e5f7178cc1f1ef3f35ae5c05cd5bcce9b390fe7b72f001606398133ef5e10ddac32aa7050086f3eb117e03a30c637fb5064e4f8b7dc467f9dbe1eaa289a8046

    Download Submit

  • \??\c:\windows\system32\drivers\etc\remote.ini
    Filesize

    230B

    MD5

    6e22e05b96dcce8bdc813308da1b4c54

    SHA1

    85b33031ae2784d9449ec5cb36665b920fed1ca7

    SHA256

    1d89a9a8acb074628fc48e2e98a80754519518c7826441b30984cb5110043b5d

    SHA512

    cbc1a3fd45033ef5e8ac7e68bd3fa4e82250199fad223ba4419428c9ca7c077d58999effd4c7da880f6388fa28a8989f8397c819e280b307847583074d8ee228

    Download Submit

  • \??\c:\windows\system32\drivers\etc\rundll.exe
    Filesize

    363B

    MD5

    14fd8bf1f67a34d61a074b1d8b08ab4e

    SHA1

    6f68f2155cc43e4cc37eaa9eb44e364ad2ff4ee7

    SHA256

    f757474b1ecd0d062157e0e0f361153c6eb7dd68596a6640aa0f5ab594e13beb

    SHA512

    5475cf8a71edda3e286f297bdf398f44530142dbb55659632cefc00dc63f176e9f7496dd3b2124e57e34f4ff1058908a2c356c427655b3971623fa0feefb3d43

    Download Submit

  • \??\c:\windows\system32\drivers\etc\vir.exe
    Filesize

    10KB

    MD5

    129456fbbc566c3563481962192411f1

    SHA1

    62884e7a71f25625263e53cf08bef335c1de8ba6

    SHA256

    ceec0e2e0acf1639cbbaea7d433c67c6bd310841d865aab993e76a65ae309d95

    SHA512

    360dee27de5c25e88e4ccaad45287f8389196181c1fd16ff20124a6d3022dade6774d4a1ce1d78ca19dbd91eca9d9c0a990dc4fbc6b80d2f8df370ae9157eb08

    Download Submit

  • \??\c:\windows\system32\drivers\etc\win.com
    Filesize

    155B

    MD5

    dae361b11210e5b72f7884acff06099b

    SHA1

    726b43b09e73012593c2657ddc3cef43027ca43f

    SHA256

    c35da6d267a0807decd8ddefaa3a5359a9497802152a6f6d006ba75cd51d2e7c

    SHA512

    82509c2b2a7f96c1b5dcaa2ef47bd67b8ee82de618b9d620e02f35c92a9c3a179524e109913db4a6346131b2174a0dad0478fd639eeccb33dd30701af42b8b27

    Download Submit

  • \??\c:\windows\system32\drivers\etc\win.exe
    Filesize

    10KB

    MD5

    a91a1f4e6d1f64b0cff53435cc94156c

    SHA1

    78075877a330298e9dd53630d2900775f8d6a03a

    SHA256

    7dcf2b3b6572b98db9b539d95dbc659a841350e81d6471c47991847f5ab28216

    SHA512

    2921e7370effcb3ef231b4c01d68616f58a265946dc3694e3a7d0fc409ead4046444fe09bb4c45343546faf4636d6ae04ce69d88d571102561ee2491fc4d5daa

    Download Submit

  • memory/3064-132-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3064-135-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3664-137-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3664-133-0x0000000000000000-mapping.dmp

    Download

  • memory/3664-150-0x0000000010000000-0x0000000010041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/3664-153-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4904-149-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4904-151-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4904-143-0x0000000000000000-mapping.dmp

    Download