Overview

overview

10

Static

static

8

c980b65d5c...02.exe

windows7-x64

10

c980b65d5c...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    283s
  • max time network
    338s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe

  • Size

    255KB

  • MD5

    61507aec123d36be1cb4764fd14de856

  • SHA1

    dddf303620edc157641ff233dcb2e8dd8f84ab14

  • SHA256

    c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02

  • SHA512

    81c89fa6d62c54e6b60114d06623c0f9065a5d8ed44987f02344e842cc0103e48e72e7ed5420fb44cdd6bec919b108ddf1260ce56a704b5402bdb85a1d668d1f

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJy:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIv

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe
    "C:\Users\Admin\AppData\Local\Temp\c980b65d5c2d27a0a19d53dbc384fddfca37a2a81c2db9c55564a757939cfc02.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\mobcjzhsen.exe
      mobcjzhsen.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\esodfumn.exe
        C:\Windows\system32\esodfumn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:852
    • C:\Windows\SysWOW64\skdhmblhrplieuw.exe
      skdhmblhrplieuw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4936
    • C:\Windows\SysWOW64\esodfumn.exe
      esodfumn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4564
    • C:\Windows\SysWOW64\bwqkfrxqeqftu.exe
      bwqkfrxqeqftu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1388
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
        PID:4424

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\bwqkfrxqeqftu.exe
      Filesize

      255KB

      MD5

      da4873e14dd28f4646a35720d9e92434

      SHA1

      18761b05644d95b7249d6659348a1be9602c9f34

      SHA256

      0bdd9ee9b181274ff9e7effd63488f5887c7f85c0afa1a9c3cb6f3d4b5d9d70f

      SHA512

      44920f1c12f251eb66552943f9be7dd1cb56f4f748789c09d05fb145854c8459633056b182127698f65a7909ae62ada9406a186ea9279b4c177cc954bc955872

      Download Submit

    • C:\Windows\SysWOW64\bwqkfrxqeqftu.exe
      Filesize

      255KB

      MD5

      da4873e14dd28f4646a35720d9e92434

      SHA1

      18761b05644d95b7249d6659348a1be9602c9f34

      SHA256

      0bdd9ee9b181274ff9e7effd63488f5887c7f85c0afa1a9c3cb6f3d4b5d9d70f

      SHA512

      44920f1c12f251eb66552943f9be7dd1cb56f4f748789c09d05fb145854c8459633056b182127698f65a7909ae62ada9406a186ea9279b4c177cc954bc955872

      Download Submit

    • C:\Windows\SysWOW64\esodfumn.exe
      Filesize

      255KB

      MD5

      d3d37d3d23712f2b6cc88f444f81bee7

      SHA1

      d065ddcca7b2f619ee1131c92ba66e55a601de35

      SHA256

      6787e82e4428af3ead0ba316fcf0e67e4072221ec935dc73dbf6133cd4f5de8b

      SHA512

      ab651821dbd7b0d48c25b0f80361d7449f9a9aff0e4254a295155977bb3035a55045eca4edbf6230b1734d19ec074c8771b74e3915596e210231c3431cb61f59

      Download Submit

    • C:\Windows\SysWOW64\esodfumn.exe
      Filesize

      255KB

      MD5

      d3d37d3d23712f2b6cc88f444f81bee7

      SHA1

      d065ddcca7b2f619ee1131c92ba66e55a601de35

      SHA256

      6787e82e4428af3ead0ba316fcf0e67e4072221ec935dc73dbf6133cd4f5de8b

      SHA512

      ab651821dbd7b0d48c25b0f80361d7449f9a9aff0e4254a295155977bb3035a55045eca4edbf6230b1734d19ec074c8771b74e3915596e210231c3431cb61f59

      Download Submit

    • C:\Windows\SysWOW64\esodfumn.exe
      Filesize

      255KB

      MD5

      d3d37d3d23712f2b6cc88f444f81bee7

      SHA1

      d065ddcca7b2f619ee1131c92ba66e55a601de35

      SHA256

      6787e82e4428af3ead0ba316fcf0e67e4072221ec935dc73dbf6133cd4f5de8b

      SHA512

      ab651821dbd7b0d48c25b0f80361d7449f9a9aff0e4254a295155977bb3035a55045eca4edbf6230b1734d19ec074c8771b74e3915596e210231c3431cb61f59

      Download Submit

    • C:\Windows\SysWOW64\mobcjzhsen.exe
      Filesize

      255KB

      MD5

      df9c36fe6a7ab911ea1bacecfe1777e3

      SHA1

      0b780dfffe6024491814f38e4bc98f921432e537

      SHA256

      87d96948e0d3fe989b021ed46d9e5b509a381ceb266ca1bbdead65d1a179efb3

      SHA512

      029346f2b539e9a5a77c8bb6f9d59f436d22756f5201a66c4ac4e0688ef1cdc746546a682e6f348747abd9a71e7fbb6cfd761f3ca2c6465044825a456c83872e

      Download Submit

    • C:\Windows\SysWOW64\mobcjzhsen.exe
      Filesize

      255KB

      MD5

      df9c36fe6a7ab911ea1bacecfe1777e3

      SHA1

      0b780dfffe6024491814f38e4bc98f921432e537

      SHA256

      87d96948e0d3fe989b021ed46d9e5b509a381ceb266ca1bbdead65d1a179efb3

      SHA512

      029346f2b539e9a5a77c8bb6f9d59f436d22756f5201a66c4ac4e0688ef1cdc746546a682e6f348747abd9a71e7fbb6cfd761f3ca2c6465044825a456c83872e

      Download Submit

    • C:\Windows\SysWOW64\skdhmblhrplieuw.exe
      Filesize

      255KB

      MD5

      ad522ed93c111b55236bcd0adaa146ca

      SHA1

      ea865bcf4b786a9b96ce1929c20b241dc60bb325

      SHA256

      01547104137987563df23a384eb1a7410cb5870ff06e4f58dcad726c43c6b337

      SHA512

      adc578604823a4c2c7f0aac6a2d996a97f48640d5ae930dc421c08219ff5f7cef5b41a3d268341771709d89eeeb301b1c442aa57f2a747b5f898059206d06767

      Download Submit

    • C:\Windows\SysWOW64\skdhmblhrplieuw.exe
      Filesize

      255KB

      MD5

      ad522ed93c111b55236bcd0adaa146ca

      SHA1

      ea865bcf4b786a9b96ce1929c20b241dc60bb325

      SHA256

      01547104137987563df23a384eb1a7410cb5870ff06e4f58dcad726c43c6b337

      SHA512

      adc578604823a4c2c7f0aac6a2d996a97f48640d5ae930dc421c08219ff5f7cef5b41a3d268341771709d89eeeb301b1c442aa57f2a747b5f898059206d06767

      Download Submit

    • memory/852-156-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/852-152-0x0000000000000000-mapping.dmp

      Download

    • memory/852-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1388-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1388-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1388-144-0x0000000000000000-mapping.dmp

      Download

    • memory/3592-137-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3592-134-0x0000000000000000-mapping.dmp

      Download

    • memory/4072-157-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4072-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4072-133-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4424-155-0x0000000000000000-mapping.dmp

      Download

    • memory/4564-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4564-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4936-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4936-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4936-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download