daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59

Analysis

max time kernel
47s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
Size

123KB
MD5

2577cc18aba285dbac94002bd752fac0
SHA1

1faa4a98c6b6cfbfb96ef9399730f3c33b465e73
SHA256

daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59
SHA512

36aebc2233b84ec78a86d39a39ad49bdab715dff1be1119fe960e4551004db6080caca89cefe3b6a3f07949e1e929f36654240f65ebf53849db7228187be38de
SSDEEP

3072:YYPh9f1/aBFyklWwwWPHmdYRuFbV6w+RaDNEiUAt:R5lIT7wqGd16+lt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

xxx.exexxx.exe

pid process

724 xxx.exe
1892 xxx.exe

pid	process
724	xxx.exe
1892	xxx.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/828-55-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/828-77-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exexxx.exexxx.exe

pid process

828 daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
724 xxx.exe
724 xxx.exe
724 xxx.exe
1892 xxx.exe
1892 xxx.exe

pid	process
828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
724	xxx.exe
724	xxx.exe
724	xxx.exe
1892	xxx.exe
1892	xxx.exe

Drops file in System32 directory 4 IoCs

Processes:

daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\sss.jpg	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
File opened for modification	C:\WINDOWS\SysWOW64\sss.jpg	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
File created	C:\WINDOWS\SysWOW64\xxx.exe	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
File opened for modification	C:\WINDOWS\SysWOW64\xxx.exe	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xxx.exe

description pid process target process

PID 724 set thread context of 1892 724 xxx.exe xxx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xxx.exe

pid process

1892 xxx.exe
1892 xxx.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

xxx.exe

pid process

724 xxx.exe

description	pid	process	target process
PID 724 set thread context of 1892	724	xxx.exe	xxx.exe

pid	process
1892	xxx.exe
1892	xxx.exe

pid	process
724	xxx.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exexxx.exexxx.exe

description	pid	process	target process
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 828 wrote to memory of 724	828	daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 724 wrote to memory of 1892	724	xxx.exe	xxx.exe
PID 1892 wrote to memory of 1204	1892	xxx.exe	Explorer.EXE
PID 1892 wrote to memory of 1204	1892	xxx.exe	Explorer.EXE
PID 1892 wrote to memory of 1204	1892	xxx.exe	Explorer.EXE
PID 1892 wrote to memory of 1204	1892	xxx.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe
"C:\Users\Admin\AppData\Local\Temp\daff14bc41199713052e07edf05faefd9676d4b46a2f048de4e0178d00f65b59.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:828

C:\WINDOWS\SysWOW64\xxx.exe
"C:\WINDOWS\system32\xxx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724

C:\WINDOWS\SysWOW64\xxx.exe
C:\WINDOWS\SysWOW64\xxx.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
C:\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
C:\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
\Windows\SysWOW64\xxx.exe

Filesize
107KB

MD5
a529bdb9269f3b7f51d55a2520f47c59

SHA1
a443f448c67cc772f17a0f3ee3abe73510b45f70

SHA256
32a2d55dde415fdcd877527d19257242000fdebe5f4c618d0f85fc6052130f70

SHA512
098d505199071a6c36e71e592f846e0b1a1e80314ce856564b71f6cab3c0c954cec1d550a9a9f09d80dfa0c6531a805341ca07b50fa807fc9b4963d1eefcf443

Download Submit
memory/724-57-0x0000000000000000-mapping.dmp

Download
memory/724-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/828-74-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/828-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/828-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/828-75-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/828-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1204-78-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1892-67-0x0000000000407A4D-mapping.dmp

Download
memory/1892-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1892-76-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1892-81-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download