Overview

overview

10

Static

static

a360c27a49...4c.exe

windows7-x64

10

a360c27a49...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a360c27a49a39d2207bbc2e1b2b0452c2003730d009c676eaf524527df59644c.exe

  • Size

    520KB

  • MD5

    28e70b6d6910dfec97f7f0d26f58dbf0

  • SHA1

    9fe8c76e3c5c5f80e1cc9db02fd130c6a81ec8c0

  • SHA256

    a360c27a49a39d2207bbc2e1b2b0452c2003730d009c676eaf524527df59644c

  • SHA512

    acbb9a2583843e2ed060e850029b7b50e14b12d3a7bd1c22380a5812a15fe7ade4b6ec2c40ba63b5b6d91ecc2b7501f15393882a37ca38993603bf9a7a7072ff

  • SSDEEP

    12288:je5GA6wigctwxaJOri8KuMhEAF/Lc0CTbkwnj3Zz:C5KwTIzJSPK/hHjXoBj3Zz

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a360c27a49a39d2207bbc2e1b2b0452c2003730d009c676eaf524527df59644c.exe
    "C:\Users\Admin\AppData\Local\Temp\a360c27a49a39d2207bbc2e1b2b0452c2003730d009c676eaf524527df59644c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\jdFfFL.exe
      C:\Users\Admin\jdFfFL.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\wieluaj.exe
        "C:\Users\Admin\wieluaj.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del jdFfFL.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:5108
    • C:\Users\Admin\2sag.exe
      C:\Users\Admin\2sag.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Users\Admin\2sag.exe
        "C:\Users\Admin\2sag.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5052
      • C:\Users\Admin\2sag.exe
        "C:\Users\Admin\2sag.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4212
      • C:\Users\Admin\2sag.exe
        "C:\Users\Admin\2sag.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3448
      • C:\Users\Admin\2sag.exe
        "C:\Users\Admin\2sag.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1180
      • C:\Users\Admin\2sag.exe
        "C:\Users\Admin\2sag.exe"
        3⤵
        • Executes dropped EXE
        PID:2988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 80
          4⤵
          • Program crash
          PID:4880
    • C:\Users\Admin\3sag.exe
      C:\Users\Admin\3sag.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\2aebb42b\X
        *0*bc*24470f9f*31.193.3.240:53
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Modifies registry class
          PID:4112
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del a360c27a49a39d2207bbc2e1b2b0452c2003730d009c676eaf524527df59644c.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4312
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988
    1⤵
      PID:3412

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    1
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    1
    T1158

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Process Discovery

    1
    T1057

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit
    • C:\Users\Admin\3sag.exe
      Filesize

      279KB

      MD5

      bc605c3a569330b1b08106d694366d7c

      SHA1

      71ee2d38c8da32dea44ad2c254a1499b98333a92

      SHA256

      84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

      SHA512

      b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

      Download Submit
    • C:\Users\Admin\3sag.exe
      Filesize

      279KB

      MD5

      bc605c3a569330b1b08106d694366d7c

      SHA1

      71ee2d38c8da32dea44ad2c254a1499b98333a92

      SHA256

      84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

      SHA512

      b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

      Download Submit
    • C:\Users\Admin\AppData\Local\2aebb42b\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit
    • C:\Users\Admin\AppData\Local\2aebb42b\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit
    • C:\Users\Admin\jdFfFL.exe
      Filesize

      216KB

      MD5

      5a9281e62a888f4ea82402cec883292d

      SHA1

      b997d0f7f8aecd9730b03f5e5b6b63466890ae94

      SHA256

      cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

      SHA512

      99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

      Download Submit
    • C:\Users\Admin\jdFfFL.exe
      Filesize

      216KB

      MD5

      5a9281e62a888f4ea82402cec883292d

      SHA1

      b997d0f7f8aecd9730b03f5e5b6b63466890ae94

      SHA256

      cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

      SHA512

      99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

      Download Submit
    • C:\Users\Admin\wieluaj.exe
      Filesize

      216KB

      MD5

      622a3853868a03da1c22ef0a77122fa5

      SHA1

      0b9bb9b0aeec8572b41ca858bcb994205f5c660a

      SHA256

      49fa85bbd3a0baa99c9902ca1e258f75fc00603d1c5cb04273640b171b631c83

      SHA512

      132194ec567b5380d286a50fb2de09561b2cd893e9aafa00e7479d570b36d3e1040cee1c605872cfd218f3e5a08f29aa8fb7174ce6571da84072aba753dea67d

      Download Submit
    • C:\Users\Admin\wieluaj.exe
      Filesize

      216KB

      MD5

      622a3853868a03da1c22ef0a77122fa5

      SHA1

      0b9bb9b0aeec8572b41ca858bcb994205f5c660a

      SHA256

      49fa85bbd3a0baa99c9902ca1e258f75fc00603d1c5cb04273640b171b631c83

      SHA512

      132194ec567b5380d286a50fb2de09561b2cd893e9aafa00e7479d570b36d3e1040cee1c605872cfd218f3e5a08f29aa8fb7174ce6571da84072aba753dea67d

      Download Submit
    • memory/1180-177-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1180-184-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1180-171-0x0000000000000000-mapping.dmp
      Download
    • memory/1180-173-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1180-179-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/2988-178-0x0000000000000000-mapping.dmp
      Download
    • memory/3388-196-0x0000000030670000-0x00000000306C2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3388-185-0x0000000000000000-mapping.dmp
      Download
    • memory/3388-189-0x0000000030670000-0x00000000306C2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3388-190-0x000000000069F000-0x00000000006D5000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3388-197-0x000000000069F000-0x00000000006D5000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3448-168-0x0000000000400000-0x0000000000427000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3448-183-0x0000000000400000-0x0000000000427000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3448-167-0x0000000000000000-mapping.dmp
      Download
    • memory/3448-172-0x0000000000400000-0x0000000000427000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3448-174-0x0000000000400000-0x0000000000427000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3548-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4112-194-0x0000000000000000-mapping.dmp
      Download
    • memory/4112-195-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4212-166-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4212-163-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4212-158-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4212-157-0x0000000000000000-mapping.dmp
      Download
    • memory/4212-161-0x0000000000400000-0x000000000040E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4312-199-0x0000000000000000-mapping.dmp
      Download
    • memory/4320-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4400-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4872-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4972-198-0x0000000000000000-mapping.dmp
      Download
    • memory/5000-191-0x0000000000000000-mapping.dmp
      Download
    • memory/5052-151-0x0000000000000000-mapping.dmp
      Download
    • memory/5052-152-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/5052-188-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/5052-155-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/5052-156-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/5052-165-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

      Download
    • memory/5108-146-0x0000000000000000-mapping.dmp
      Download