Overview

overview

10

Static

static

deb48b988b...da.exe

windows7-x64

10

deb48b988b...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    256s
  • max time network
    335s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deb48b988b6c5426e78cdd99b392630101d81aac038bca9b7ce52b2d555566da.exe

  • Size

    508KB

  • MD5

    524621ae1f7ca04301f6242c0929840d

  • SHA1

    378abe28b8c5660ffebb18f784646112ef992e50

  • SHA256

    deb48b988b6c5426e78cdd99b392630101d81aac038bca9b7ce52b2d555566da

  • SHA512

    757230ca13dc90c1b76b4be470e45ae31253dd6b4b84c12e8dc90b41c2818068b190da0b94599a1c6f523bc5491bcd2af40770dc15343e2aa0f0428343457185

  • SSDEEP

    6144:R3xV7htOfFiktSdWyKYAWFCbW7LYxLk+4MGT+N50cIXv+1coDdkozx3pypmlNH9J:R3xxPuFVtSdWJsuWXLGMvxsltRok/Gy

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 9 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 45 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\deb48b988b6c5426e78cdd99b392630101d81aac038bca9b7ce52b2d555566da.exe
      "C:\Users\Admin\AppData\Local\Temp\deb48b988b6c5426e78cdd99b392630101d81aac038bca9b7ce52b2d555566da.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Users\Admin\eosRo6jbz1.exe
        C:\Users\Admin\eosRo6jbz1.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Users\Admin\blcuos.exe
          "C:\Users\Admin\blcuos.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:820
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del eosRo6jbz1.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:544
      • C:\Users\Admin\2veg.exe
        C:\Users\Admin\2veg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\2veg.exe
          "C:\Users\Admin\2veg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1880
        • C:\Users\Admin\2veg.exe
          "C:\Users\Admin\2veg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1008
        • C:\Users\Admin\2veg.exe
          "C:\Users\Admin\2veg.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1896
        • C:\Users\Admin\2veg.exe
          "C:\Users\Admin\2veg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1660
        • C:\Users\Admin\2veg.exe
          "C:\Users\Admin\2veg.exe"
          4⤵
          • Executes dropped EXE
          PID:832
      • C:\Users\Admin\3veg.exe
        C:\Users\Admin\3veg.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del deb48b988b6c5426e78cdd99b392630101d81aac038bca9b7ce52b2d555566da.exe
        3⤵
        • Deletes itself
        PID:1868
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • C:\Users\Admin\3veg.exe
    Filesize

    287KB

    MD5

    357d9b4488d3191b0d6197015b326484

    SHA1

    057455015523d5b0b475dce4a49d510ba6a23ee4

    SHA256

    7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

    SHA512

    f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

    Download Submit
  • C:\Users\Admin\blcuos.exe
    Filesize

    180KB

    MD5

    d34330a304fa9850e25ad45c940b0659

    SHA1

    1555956434f39fc0d5ad77d919cd4063260c5bb7

    SHA256

    7569a6257b97e063ae39eabae4fcf0020986a79ca492c1c59fef85dc83113bc7

    SHA512

    8b8989938671d52a0474affc9b4a69b0558ac863b374ecd27ebaf2abe37968ba834b609937c572b0c2e4965b392338f01394382747f63e95533d2d6c38ca280b

    Download Submit
  • C:\Users\Admin\blcuos.exe
    Filesize

    180KB

    MD5

    d34330a304fa9850e25ad45c940b0659

    SHA1

    1555956434f39fc0d5ad77d919cd4063260c5bb7

    SHA256

    7569a6257b97e063ae39eabae4fcf0020986a79ca492c1c59fef85dc83113bc7

    SHA512

    8b8989938671d52a0474affc9b4a69b0558ac863b374ecd27ebaf2abe37968ba834b609937c572b0c2e4965b392338f01394382747f63e95533d2d6c38ca280b

    Download Submit
  • C:\Users\Admin\eosRo6jbz1.exe
    Filesize

    180KB

    MD5

    582c4af3c13d489f7593c6655a9ed25f

    SHA1

    f920f89e59010c5d24507a3556cfa2b8ed406ddc

    SHA256

    560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

    SHA512

    f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

    Download Submit
  • C:\Users\Admin\eosRo6jbz1.exe
    Filesize

    180KB

    MD5

    582c4af3c13d489f7593c6655a9ed25f

    SHA1

    f920f89e59010c5d24507a3556cfa2b8ed406ddc

    SHA256

    560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

    SHA512

    f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

    Download Submit
  • \Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • \Users\Admin\2veg.exe
    Filesize

    124KB

    MD5

    116cdd8174ee4734183e8f019a548596

    SHA1

    d918d4e4bdaec0f4066c2285a5bd85903d92e23f

    SHA256

    dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

    SHA512

    377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

    Download Submit
  • \Users\Admin\3veg.exe
    Filesize

    287KB

    MD5

    357d9b4488d3191b0d6197015b326484

    SHA1

    057455015523d5b0b475dce4a49d510ba6a23ee4

    SHA256

    7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

    SHA512

    f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

    Download Submit
  • \Users\Admin\3veg.exe
    Filesize

    287KB

    MD5

    357d9b4488d3191b0d6197015b326484

    SHA1

    057455015523d5b0b475dce4a49d510ba6a23ee4

    SHA256

    7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

    SHA512

    f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

    Download Submit
  • \Users\Admin\blcuos.exe
    Filesize

    180KB

    MD5

    d34330a304fa9850e25ad45c940b0659

    SHA1

    1555956434f39fc0d5ad77d919cd4063260c5bb7

    SHA256

    7569a6257b97e063ae39eabae4fcf0020986a79ca492c1c59fef85dc83113bc7

    SHA512

    8b8989938671d52a0474affc9b4a69b0558ac863b374ecd27ebaf2abe37968ba834b609937c572b0c2e4965b392338f01394382747f63e95533d2d6c38ca280b

    Download Submit
  • \Users\Admin\blcuos.exe
    Filesize

    180KB

    MD5

    d34330a304fa9850e25ad45c940b0659

    SHA1

    1555956434f39fc0d5ad77d919cd4063260c5bb7

    SHA256

    7569a6257b97e063ae39eabae4fcf0020986a79ca492c1c59fef85dc83113bc7

    SHA512

    8b8989938671d52a0474affc9b4a69b0558ac863b374ecd27ebaf2abe37968ba834b609937c572b0c2e4965b392338f01394382747f63e95533d2d6c38ca280b

    Download Submit
  • \Users\Admin\eosRo6jbz1.exe
    Filesize

    180KB

    MD5

    582c4af3c13d489f7593c6655a9ed25f

    SHA1

    f920f89e59010c5d24507a3556cfa2b8ed406ddc

    SHA256

    560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

    SHA512

    f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

    Download Submit
  • \Users\Admin\eosRo6jbz1.exe
    Filesize

    180KB

    MD5

    582c4af3c13d489f7593c6655a9ed25f

    SHA1

    f920f89e59010c5d24507a3556cfa2b8ed406ddc

    SHA256

    560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

    SHA512

    f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

    Download Submit
  • memory/544-75-0x0000000000000000-mapping.dmp
    Download
  • memory/820-67-0x0000000000000000-mapping.dmp
    Download
  • memory/828-56-0x0000000075491000-0x0000000075493000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-109-0x0000000000000000-mapping.dmp
    Download
  • memory/948-152-0x000000000039B000-0x00000000003D2000-memory.dmp
    Filesize

    220KB

    Download
  • memory/948-151-0x0000000030670000-0x00000000306C1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/948-136-0x0000000000000000-mapping.dmp
    Download
  • memory/948-140-0x0000000030670000-0x00000000306C1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/948-141-0x000000000039B000-0x00000000003D2000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1008-92-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-89-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-116-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-94-0x000000000040C520-mapping.dmp
    Download
  • memory/1008-93-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-131-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-90-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1008-121-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1176-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1260-142-0x00000000029F0000-0x00000000029F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1260-146-0x00000000029F0000-0x00000000029F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1260-150-0x00000000029F0000-0x00000000029F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1632-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-118-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1660-105-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1660-122-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1660-104-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1660-106-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1660-107-0x0000000000405790-mapping.dmp
    Download
  • memory/1660-132-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1692-154-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1868-153-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-115-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-86-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-155-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-119-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-84-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-130-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-83-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-85-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-87-0x0000000000405690-mapping.dmp
    Download
  • memory/1896-123-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-97-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-96-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-99-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-101-0x0000000000424310-mapping.dmp
    Download
  • memory/1896-138-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-100-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-120-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1896-133-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download