Analysis

  • max time kernel
    151s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:07

General

  • Target

    0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe

  • Size

    2.4MB

  • MD5

    3cc08484a5832e084968697b3482500c

  • SHA1

    7c44cdba35af72cbd2f8a024192b251350ccb501

  • SHA256

    0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e

  • SHA512

    64cfc7a9a7bbceee98a272bc853f480e5784af2a84db6bb809829ad580b4bad99a45d38453fc867c1426913a83512dc6c01301e3eba6fe526ebfa33b51820c7f

  • SSDEEP

    49152:FstL1S9LWLl1hYRtUwSLOekVK7vObWhLzaBkiZoStBWGJoEr9KF:FstULm1hYtSCwObULGBhKE7rc

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
    "C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
      C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
      2⤵
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
        C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
        3⤵
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
          4⤵
            PID:1812

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\teste.txt

      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    • C:\Users\Admin\AppData\Local\Temp\teste.vbs

      Filesize

      841B

      MD5

      615964e5ab63a70f0e205a476c48e356

      SHA1

      292620321db69d57ba23fa98d2a89484ddcf83d0

      SHA256

      38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

      SHA512

      69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

    • memory/1628-80-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-78-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-86-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-81-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-68-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-69-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-71-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-74-0x00000000009E2400-mapping.dmp

    • memory/1628-73-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-79-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

    • memory/1628-77-0x00000000751A1000-0x00000000751A3000-memory.dmp

      Filesize

      8KB

    • memory/1724-76-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-62-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-56-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-67-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-59-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-57-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

    • memory/1724-63-0x0000000000401578-mapping.dmp

    • memory/1812-82-0x0000000000000000-mapping.dmp