add942f14b76a18189f14125eb78f7b38f4087a7f6cb2ec3c0029d733cbcf9ba

Analysis

max time kernel
154s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

改枪.exe
Size

1.5MB
MD5

7d2e5610ea5fe795d2d896c4a4ee84ac
SHA1

a49f440a50ab7ed0addcaefd41a0910ab51e10ba
SHA256

3e1b059c68719b90399fde5f11e8e7ddbab76a7e7f9c740edb973756f7592454
SHA512

ae78baf2899e8114f5ceaef58f26f796e5f086e5e6cf7e1d6050b310acc64873d9dd40401a03129436700d7de8207765158f43aa802b74294bcd98405a8c5c10
SSDEEP

24576:tHsmDWASZgUx0tswA7pX8dUCwO3jEOXpaBj6643bamv28Pd3FOa8PKQOutHY6jCm:VZyA6x00p8y++jjwa8F5mR5Y6jCyE9o

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-1488-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1489-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1490-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1492-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1494-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1496-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1498-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1500-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1502-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1504-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1506-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1508-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1510-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1512-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1514-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1516-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1519-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1521-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1523-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1525-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1527-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1529-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1531-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3156-1533-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PastWqM15.sys	改枪.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3156	改枪.exe
3156	改枪.exe
3156	改枪.exe

C:\Users\Admin\AppData\Local\Temp\改枪.exe
"C:\Users\Admin\AppData\Local\Temp\改枪.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-133-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/3156-134-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/3156-136-0x00000000762F0000-0x0000000076490000-memory.dmp

Filesize
1.6MB

Download
memory/3156-137-0x0000000075A00000-0x0000000075A7A000-memory.dmp

Filesize
488KB

Download
memory/3156-1481-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1482-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1483-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1484-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1486-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1487-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1488-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1489-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1490-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1492-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1494-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1496-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1498-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1500-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1502-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1504-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1506-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1508-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1510-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1512-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1514-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1516-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1519-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1521-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1523-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1525-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1527-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1529-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1531-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1532-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3156-1533-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3156-1534-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download