299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
Size

887KB
MD5

5fa6538471d30c084c0257b80a8a4d5e
SHA1

756e754223382739063d7420807871d255bff53d
SHA256

299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61
SHA512

8a3af2d7efd474bd95ae734ef73e323e04c7d2de9c461dee87574b07769ca046e2545a7393e3a7d54b18e6cd3635a8c59b052e162c63b091de1b7c20a9de636b
SSDEEP

12288:kYCr8rgkNxnHaFP78jdwOt/XbLAo0tjUe8NA3cNNC/Q5PXTcVgdv240dEeqYW9nM:NCYL7aJ8pwGXbD0tjBwCvI5YW9lm

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ZfUrynRIW2S8QL3.exeZfUrynRIW2S8QL3.exe

pid process

1272 ZfUrynRIW2S8QL3.exe
1072 ZfUrynRIW2S8QL3.exe

pid	process
1272	ZfUrynRIW2S8QL3.exe
1072	ZfUrynRIW2S8QL3.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1072-67-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-69-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-71-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-75-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-79-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-80-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-81-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1072-82-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exeZfUrynRIW2S8QL3.exe

pid	process
832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
1272	ZfUrynRIW2S8QL3.exe
1272	ZfUrynRIW2S8QL3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZfUrynRIW2S8QL3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	ZfUrynRIW2S8QL3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Data.Msi\\AdobeUpdate.exe"	ZfUrynRIW2S8QL3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ZfUrynRIW2S8QL3.exe

description pid process target process

PID 1272 set thread context of 1072 1272 ZfUrynRIW2S8QL3.exe ZfUrynRIW2S8QL3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1272 set thread context of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe

NSIS installer 16 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1548 DllHost.exe

pid	process
1548	DllHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exeZfUrynRIW2S8QL3.exe

description	pid	process	target process
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 832 wrote to memory of 1272	832	299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe
PID 1272 wrote to memory of 1072	1272	ZfUrynRIW2S8QL3.exe	ZfUrynRIW2S8QL3.exe

C:\Users\Admin\AppData\Local\Temp\299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe
"C:\Users\Admin\AppData\Local\Temp\299790ad7148fcae3d433c8265533e2fcbb620c04ab4896d44a1f9dc5b8e3f61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1072

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ZfUrynRIW2S8QL3.exe
Filesize
407KB

MD5
7d90310cd5a3e3616e33866581bd823c

SHA1
dbe48e17aed85409ca0b859596bbcae8b7d32ee2

SHA256
403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff

SHA512
6d90baa178536058353bbb5c62e5abcdf0f65b3020dbff44c71db9e141173465d241204e6c4a2c1f62788cc4e6b76e5ea64fc68ad419f3bc3a7819666839459c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB81.tmp\mosaicists.dll
Filesize
57KB

MD5
9402f0826f3dcf69a4c29d5c9d1a18f6

SHA1
7c59a0d04907b2c536d3ad56bc4b29de21e4e10d

SHA256
4316e64887991dff9473d33a84cb98357bec057bc97bf0d9df80f58420bc11fe

SHA512
a1040398d586413a04fc332434934c92d8180ccb64001615d90bb8ca6765a00c240acbe2ed6e015550e12a1ccd6bfb9de5ff45246eb591e31b482f7a61263e0a

Download Submit
memory/832-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1072-72-0x000000000048ED00-mapping.dmp

Download
memory/1072-66-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-67-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-69-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-71-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-75-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-79-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-80-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-81-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1072-82-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1272-64-0x0000000001F00000-0x0000000001F17000-memory.dmp

Filesize
92KB

Download
memory/1272-59-0x0000000000000000-mapping.dmp

Download