3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
Size

1.5MB
MD5

7d2e5610ea5fe795d2d896c4a4ee84ac
SHA1

a49f440a50ab7ed0addcaefd41a0910ab51e10ba
SHA256

3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454
SHA512

ae78baf2899e8114f5ceaef58f26f796e5f086e5e6cf7e1d6050b310acc64873d9dd40401a03129436700d7de8207765158f43aa802b74294bcd98405a8c5c10
SSDEEP

24576:tHsmDWASZgUx0tswA7pX8dUCwO3jEOXpaBj6643bamv28Pd3FOa8PKQOutHY6jCm:VZyA6x00p8y++jjwa8F5mR5Y6jCyE9o

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1284-4823-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1284-4866-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PastMhvve.sys	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
1284	3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe

C:\Users\Admin\AppData\Local\Temp\3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe
"C:\Users\Admin\AppData\Local\Temp\3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000077290000-0x00000000772D7000-memory.dmp

Filesize
284KB

Download
memory/1284-463-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-462-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-466-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-465-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-464-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-473-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-476-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-475-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-478-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1284-477-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-480-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-481-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-479-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-484-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-483-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-503-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-504-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-502-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-506-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-505-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-507-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-508-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-510-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-512-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-514-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-524-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-523-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-521-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-520-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-519-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-518-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-517-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-516-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-515-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-513-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-511-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-509-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-501-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-500-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-499-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-498-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-497-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-496-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-495-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-494-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-493-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-492-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-491-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-490-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-489-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-488-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-487-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-486-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-485-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-482-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-474-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-472-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-471-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-470-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-469-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-467-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-468-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-1385-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

Filesize
1024KB

Download
memory/1284-1387-0x00000000021E0000-0x0000000002361000-memory.dmp

Filesize
1.5MB

Download
memory/1284-4553-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

Filesize
1024KB

Download
memory/1284-4818-0x0000000002370000-0x0000000002481000-memory.dmp

Filesize
1.1MB

Download
memory/1284-4819-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1284-4820-0x0000000002490000-0x0000000002591000-memory.dmp

Filesize
1.0MB

Download
memory/1284-4823-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1284-4865-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1284-4866-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1284-4867-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download