Overview

overview

10

Static

static

8

7fa3d45f89...78.exe

windows7-x64

10

7fa3d45f89...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe

  • Size

    368KB

  • MD5

    891d6585190bc5d5a219562c998ae945

  • SHA1

    571981a09506df4c110a90041648f606d201776c

  • SHA256

    7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

  • SHA512

    a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

  • SSDEEP

    6144:hYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkl5q+cvrfA:K9BvctM85t35JPNJj2WzoRLQYRYzmYOd

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 4 IoCs
  • Sets file execution options in registry 2 TTPs 48 IoCs
    persistence
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 15 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe
    "C:\Users\Admin\AppData\Local\Temp\7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Local\Temp\svchost.com
      "C:\Users\Admin\AppData\Local\Temp\svchost.com"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Sets file execution options in registry
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4144
      • C:\Program Files (x86)\Common Files\System\cftmon.exe
        "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Program Files (x86)\Common Files\System\cftmon.exe
          "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:5004
      • C:\Users\Admin\AppData\Local\Temp\svchost.com
        C:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:1732
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" share SYS_c=c:\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 share SYS_c=c:\
          4⤵
            PID:4684
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" user guest guest
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4164
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user guest guest
            4⤵
              PID:3568
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" user /add Network_Service
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user /add Network_Service
              4⤵
                PID:4548
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" user Network_Service 1016760
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2424
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user Network_Service 1016760
                4⤵
                  PID:4608
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" localgroup administrators Network_Service /add
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1344
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 localgroup administrators Network_Service /add
                  4⤵
                    PID:4308

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Common Files\System\cftmon.exe
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Program Files (x86)\Common Files\System\cftmon.exe
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Program Files (x86)\Common Files\System\cftmon.exe
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost.com
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost.com
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost.com
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Users\Admin\Templates\cache\SFCsrvc.pif
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Windows\Help\cliconf.chm
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • C:\Windows\SysWOW64\fdisk.com
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • \??\c:\Thumbs.db
              Filesize

              368KB

              MD5

              891d6585190bc5d5a219562c998ae945

              SHA1

              571981a09506df4c110a90041648f606d201776c

              SHA256

              7fa3d45f89cdef975d22b382921c1762164f2f2476f8da887ecc898b8d843d78

              SHA512

              a8ce3c3568f4b7bb684e2e4fa9157063a213a0cd8838b6a8d833f41628978e24bb7cc6e453312c61d9e61d023534b8a23c743a9139c744f06f9ea8bc9fa2dcf7

              Download Submit

            • memory/932-151-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/932-142-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/932-138-0x0000000000000000-mapping.dmp

              Download

            • memory/1344-162-0x0000000000000000-mapping.dmp

              Download

            • memory/1456-158-0x0000000000000000-mapping.dmp

              Download

            • memory/1732-164-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/1732-141-0x0000000000000000-mapping.dmp

              Download

            • memory/1732-152-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/2424-160-0x0000000000000000-mapping.dmp

              Download

            • memory/3568-157-0x0000000000000000-mapping.dmp

              Download

            • memory/4144-165-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/4144-137-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/4144-133-0x0000000000000000-mapping.dmp

              Download

            • memory/4164-155-0x0000000000000000-mapping.dmp

              Download

            • memory/4308-163-0x0000000000000000-mapping.dmp

              Download

            • memory/4548-159-0x0000000000000000-mapping.dmp

              Download

            • memory/4608-161-0x0000000000000000-mapping.dmp

              Download

            • memory/4684-156-0x0000000000000000-mapping.dmp

              Download

            • memory/4828-154-0x0000000000000000-mapping.dmp

              Download

            • memory/5004-149-0x0000000000000000-mapping.dmp

              Download

            • memory/5004-153-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/5004-166-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/5080-132-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download

            • memory/5080-136-0x0000000000400000-0x00000000004C8000-memory.dmp

              Filesize

              800KB

              Download