761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070

Analysis

max time kernel
144s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
Size

3.5MB
MD5

04739b0c3b70e34004805b9289244b17
SHA1

5133ab6e9486e7b96a4255c51578ded9a55117ff
SHA256

761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070
SHA512

8e92060be5c91c396e207fe259c75e9de73f1b4f0504598d5eb3ce430f9eeda247f6546cc6277d2424a0308f7662ef373f16d8c905a3e61f5e4fa4683c661ace
SSDEEP

98304:aiITUOqj12LQMdGtT55jk+qnthEULLEfXs:aiIQOqj63dG5jk+qt5d

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1312	»ØÒäºÏ»÷.exe
1540	2.exe
1204	»ØÒäºÏ»÷380uc.Com.exe
1124	emwjtjkdsm

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000139f7-64.dat	upx
behavioral1/files/0x000a0000000139f7-65.dat	upx
behavioral1/files/0x000a0000000139f7-67.dat	upx
behavioral1/memory/1204-75-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral1/memory/1204-74-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral1/files/0x000a0000000139f7-76.dat	upx
behavioral1/memory/1204-77-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral1/files/0x000a0000000139f7-78.dat	upx
behavioral1/memory/1204-80-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral1/memory/1204-81-0x0000000000400000-0x0000000000D06000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
1312	»ØÒäºÏ»÷.exe
1312	»ØÒäºÏ»÷.exe
1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
1204	»ØÒäºÏ»÷380uc.Com.exe
1540	2.exe
1540	2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\M:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\X:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Z:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\B:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\E:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\G:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\H:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\V:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\A:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\J:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\P:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\T:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\W:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Y:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\K:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\O:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\R:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\S:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\U:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\F:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\L:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\N:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Q:	»ØÒäºÏ»÷380uc.Com.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1124	emwjtjkdsm

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1204	»ØÒäºÏ»÷380uc.Com.exe
1204	»ØÒäºÏ»÷380uc.Com.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1312	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	28
PID 1980 wrote to memory of 1312	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	28
PID 1980 wrote to memory of 1312	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	28
PID 1980 wrote to memory of 1312	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	28
PID 1312 wrote to memory of 1540	1312	»ØÒäºÏ»÷.exe	29
PID 1312 wrote to memory of 1540	1312	»ØÒäºÏ»÷.exe	29
PID 1312 wrote to memory of 1540	1312	»ØÒäºÏ»÷.exe	29
PID 1312 wrote to memory of 1540	1312	»ØÒäºÏ»÷.exe	29
PID 1980 wrote to memory of 1204	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	30
PID 1980 wrote to memory of 1204	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	30
PID 1980 wrote to memory of 1204	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	30
PID 1980 wrote to memory of 1204	1980	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	30
PID 1312 wrote to memory of 1404	1312	»ØÒäºÏ»÷.exe	32
PID 1312 wrote to memory of 1404	1312	»ØÒäºÏ»÷.exe	32
PID 1312 wrote to memory of 1404	1312	»ØÒäºÏ»÷.exe	32
PID 1312 wrote to memory of 1404	1312	»ØÒäºÏ»÷.exe	32
PID 1540 wrote to memory of 1124	1540	2.exe	34
PID 1540 wrote to memory of 1124	1540	2.exe	34
PID 1540 wrote to memory of 1124	1540	2.exe	34
PID 1540 wrote to memory of 1124	1540	2.exe	34

C:\Users\Admin\AppData\Local\Temp\761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
"C:\Users\Admin\AppData\Local\Temp\761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe
  "C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - \??\c:\users\admin\appdata\local\emwjtjkdsm
      "C:\Users\Admin\AppData\Local\Temp\2.exe" a -sc:\users\admin\appdata\local\temp\2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ope1D14.bat" "" "C:\Users\Admin\AppData\Local\Temp" "»ØÒäºÏ»÷.exe""
    3⤵
    PID:1404
- C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe
  "C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope1D14.bat

Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
C:\Users\Admin\AppData\Local\emwjtjkdsm

Filesize
21.2MB

MD5
18cfd8964ff70e36b81bb145e26b247c

SHA1
fcf8746ddf2e68dc4a348df4924370a4c84af190

SHA256
d52d5d4e5ab1c0be694a324cbf729b7d7a52e15c6eab7ffc8ff75c928b0b2993

SHA512
45c27828fb14f3fc05a6080781201a868885ee0a48b7425c5bf31acdc7901967fd9be33af27489208969874b121886f007e483aaebd51a8ba5188dea1dc06923

Download Submit
\??\c:\users\admin\appdata\local\temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
\Users\Admin\AppData\Local\emwjtjkdsm

Filesize
21.2MB

MD5
18cfd8964ff70e36b81bb145e26b247c

SHA1
fcf8746ddf2e68dc4a348df4924370a4c84af190

SHA256
d52d5d4e5ab1c0be694a324cbf729b7d7a52e15c6eab7ffc8ff75c928b0b2993

SHA512
45c27828fb14f3fc05a6080781201a868885ee0a48b7425c5bf31acdc7901967fd9be33af27489208969874b121886f007e483aaebd51a8ba5188dea1dc06923

Download Submit
\Users\Admin\AppData\Local\emwjtjkdsm

Filesize
21.2MB

MD5
18cfd8964ff70e36b81bb145e26b247c

SHA1
fcf8746ddf2e68dc4a348df4924370a4c84af190

SHA256
d52d5d4e5ab1c0be694a324cbf729b7d7a52e15c6eab7ffc8ff75c928b0b2993

SHA512
45c27828fb14f3fc05a6080781201a868885ee0a48b7425c5bf31acdc7901967fd9be33af27489208969874b121886f007e483aaebd51a8ba5188dea1dc06923

Download Submit
memory/1124-86-0x0000000000000000-mapping.dmp

Download
memory/1204-81-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/1204-82-0x0000000003E20000-0x0000000003E30000-memory.dmp

Filesize
64KB

Download
memory/1204-75-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/1204-77-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/1204-66-0x0000000000000000-mapping.dmp

Download
memory/1204-79-0x0000000003E20000-0x0000000003E30000-memory.dmp

Filesize
64KB

Download
memory/1204-80-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/1204-74-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/1312-57-0x0000000000000000-mapping.dmp

Download
memory/1312-69-0x0000000000400000-0x0000000000419FAC-memory.dmp

Filesize
103KB

Download
memory/1404-68-0x0000000000000000-mapping.dmp

Download
memory/1540-62-0x0000000000000000-mapping.dmp

Download
memory/1980-71-0x0000000000400000-0x000000000078DD46-memory.dmp

Filesize
3.6MB

Download
memory/1980-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download