Overview

overview

10

Static

static

8

ff0c7a781d...98.exe

windows7-x64

10

ff0c7a781d...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    343s
  • max time network
    379s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff0c7a781d85d81363f385617476e5199791bc9702c323142ec53b7e839b8f98.exe

  • Size

    255KB

  • MD5

    d1b1341d083a3008b97a28077e52e1c5

  • SHA1

    3de7acf39298dec436b6d749ddb27d73a92a9c56

  • SHA256

    ff0c7a781d85d81363f385617476e5199791bc9702c323142ec53b7e839b8f98

  • SHA512

    4465ef6f31d70321da2a0d88fbee0a18134ff0f964819c0d57be3f2560d2fb44ab0d664854b78eda959a3e663f16c8fc9e74b868f10be7ef918a81000aa610d3

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIZ

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff0c7a781d85d81363f385617476e5199791bc9702c323142ec53b7e839b8f98.exe
    "C:\Users\Admin\AppData\Local\Temp\ff0c7a781d85d81363f385617476e5199791bc9702c323142ec53b7e839b8f98.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\oyoonrxekp.exe
      oyoonrxekp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\SysWOW64\gbjhtbxz.exe
        C:\Windows\system32\gbjhtbxz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3008
    • C:\Windows\SysWOW64\gbjhtbxz.exe
      gbjhtbxz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1480
    • C:\Windows\SysWOW64\qfjkpoyzfcwjw.exe
      qfjkpoyzfcwjw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3520
    • C:\Windows\SysWOW64\mgkafluwtsthkoh.exe
      mgkafluwtsthkoh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4716
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
        PID:3576

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\gbjhtbxz.exe
      Filesize

      255KB

      MD5

      750d5542d9c0ce00dd53b085e579128b

      SHA1

      a7b05fe867027e6664b855e0e6c93e8fd810ae25

      SHA256

      e63074526b43781d26d6cc005c5fda19d9f044d07c60796c6361fd241f52cb9a

      SHA512

      00baa3207a42698f7e5380eaaf2aeb37db8847f3291706126611108c0cb8f59499c3e7d35107d4ba60bf59eb24a6eea22476eb2f4b39a3f91aebe91c8d1fa01e

      Download Submit

    • C:\Windows\SysWOW64\gbjhtbxz.exe
      Filesize

      255KB

      MD5

      750d5542d9c0ce00dd53b085e579128b

      SHA1

      a7b05fe867027e6664b855e0e6c93e8fd810ae25

      SHA256

      e63074526b43781d26d6cc005c5fda19d9f044d07c60796c6361fd241f52cb9a

      SHA512

      00baa3207a42698f7e5380eaaf2aeb37db8847f3291706126611108c0cb8f59499c3e7d35107d4ba60bf59eb24a6eea22476eb2f4b39a3f91aebe91c8d1fa01e

      Download Submit

    • C:\Windows\SysWOW64\gbjhtbxz.exe
      Filesize

      255KB

      MD5

      750d5542d9c0ce00dd53b085e579128b

      SHA1

      a7b05fe867027e6664b855e0e6c93e8fd810ae25

      SHA256

      e63074526b43781d26d6cc005c5fda19d9f044d07c60796c6361fd241f52cb9a

      SHA512

      00baa3207a42698f7e5380eaaf2aeb37db8847f3291706126611108c0cb8f59499c3e7d35107d4ba60bf59eb24a6eea22476eb2f4b39a3f91aebe91c8d1fa01e

      Download Submit

    • C:\Windows\SysWOW64\mgkafluwtsthkoh.exe
      Filesize

      255KB

      MD5

      4d6917f02aa49b74f5c438297a412bb6

      SHA1

      b688fc8bde0d89c0457d0d901cbaa68ac6139e69

      SHA256

      2df5bb0c0e8d1a7faf4dd708eb2e77c4629b8b2134bd4bf7734835e02c309094

      SHA512

      48f259761cdee039f1c55cf6afba01296d11c15158b0e82137e8880af55c3224e88a52a68d819a09c95b1a52e886624a419a95277b3b8d9d7dc3e90bd9ce2188

      Download Submit

    • C:\Windows\SysWOW64\mgkafluwtsthkoh.exe
      Filesize

      255KB

      MD5

      4d6917f02aa49b74f5c438297a412bb6

      SHA1

      b688fc8bde0d89c0457d0d901cbaa68ac6139e69

      SHA256

      2df5bb0c0e8d1a7faf4dd708eb2e77c4629b8b2134bd4bf7734835e02c309094

      SHA512

      48f259761cdee039f1c55cf6afba01296d11c15158b0e82137e8880af55c3224e88a52a68d819a09c95b1a52e886624a419a95277b3b8d9d7dc3e90bd9ce2188

      Download Submit

    • C:\Windows\SysWOW64\oyoonrxekp.exe
      Filesize

      255KB

      MD5

      5dccf1610e57f617ab3bcc0fd3ed178c

      SHA1

      a53c7941971fde4df20b167ec9d2f8aec8927983

      SHA256

      47e8ac55cb5f21d34a82255f9ece2367045491f7b9625279675b2f8bded0444b

      SHA512

      228152b703f5f72db2e27816c6193d12dbeb1b5267cdf17b7b89dee6ff6901f36fdd9564469c5c6cff0794b9a629bd052c7afa854c5df6310d13494e517f582d

      Download Submit

    • C:\Windows\SysWOW64\oyoonrxekp.exe
      Filesize

      255KB

      MD5

      5dccf1610e57f617ab3bcc0fd3ed178c

      SHA1

      a53c7941971fde4df20b167ec9d2f8aec8927983

      SHA256

      47e8ac55cb5f21d34a82255f9ece2367045491f7b9625279675b2f8bded0444b

      SHA512

      228152b703f5f72db2e27816c6193d12dbeb1b5267cdf17b7b89dee6ff6901f36fdd9564469c5c6cff0794b9a629bd052c7afa854c5df6310d13494e517f582d

      Download Submit

    • C:\Windows\SysWOW64\qfjkpoyzfcwjw.exe
      Filesize

      255KB

      MD5

      485e6b77d05696621f3576426ab7f138

      SHA1

      aef9a0069a11c4868e0c9e0c6b19ba5271dc8845

      SHA256

      117e4f8631a2cc23a837eeb5aa334140443f7bfaff4c3f2721bf013ce672b6b1

      SHA512

      660dd38c6bfc6eb7678518079ea3bd436247f9f22f73eec956dd050cb0dd45ef898728b296e69390a59dc848dbfb8b96e81929f336d791aede4bff24ab67e4f3

      Download Submit

    • C:\Windows\SysWOW64\qfjkpoyzfcwjw.exe
      Filesize

      255KB

      MD5

      485e6b77d05696621f3576426ab7f138

      SHA1

      aef9a0069a11c4868e0c9e0c6b19ba5271dc8845

      SHA256

      117e4f8631a2cc23a837eeb5aa334140443f7bfaff4c3f2721bf013ce672b6b1

      SHA512

      660dd38c6bfc6eb7678518079ea3bd436247f9f22f73eec956dd050cb0dd45ef898728b296e69390a59dc848dbfb8b96e81929f336d791aede4bff24ab67e4f3

      Download Submit

    • memory/1480-138-0x0000000000000000-mapping.dmp

      Download

    • memory/1480-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2840-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2840-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3008-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3008-152-0x0000000000000000-mapping.dmp

      Download

    • memory/3520-142-0x0000000000000000-mapping.dmp

      Download

    • memory/3520-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3520-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3576-155-0x0000000000000000-mapping.dmp

      Download

    • memory/4644-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4644-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4716-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4716-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4716-136-0x0000000000000000-mapping.dmp

      Download