Overview

overview

9

Static

static

8

1f57b5b5a6...0c.exe

windows7-x64

9

1f57b5b5a6...0c.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    48s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f57b5b5a69ac0decc867c0d548bfa072b5a089205c67da201c9fc57dc0d4b0c.exe

  • Size

    26KB

  • MD5

    d297a6085cdcf0610e263e2f73d6b6ba

  • SHA1

    c200c715e1dfdfcafb50ba5347c1093ae28f0ff2

  • SHA256

    1f57b5b5a69ac0decc867c0d548bfa072b5a089205c67da201c9fc57dc0d4b0c

  • SHA512

    25fe2f8fe12bfbff563c2ea1e8fefb42cf84283ad28143cc0df70e7b8e0f3209aa613ebb78612cfc9cf24874ff6c1323df8b786f90e02062f42806c1297554bd

  • SSDEEP

    768:lMPn5bGKBZ8K0wUbtuzM3hQPLEHf/3l8J:k1BZ8K0wUbcPLMfN8J

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f57b5b5a69ac0decc867c0d548bfa072b5a089205c67da201c9fc57dc0d4b0c.exe
    "C:\Users\Admin\AppData\Local\Temp\1f57b5b5a69ac0decc867c0d548bfa072b5a089205c67da201c9fc57dc0d4b0c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1F57B5~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\08223B03.dll
    Filesize

    19KB

    MD5

    6dea1b9eebba50fc7006a0b1ea6e2de8

    SHA1

    bf91304498f2dfcc080385d7ec36efde439f0b8f

    SHA256

    f626229ce8a3085180b82d0056d84e2df2e3886a49847cfe140035798558e197

    SHA512

    ce0e742f224230a5b17c439d867f89b75661e6f04cd401dad508015c368e0f36f5ac13d352fe2842301e01ac5b183dbf4ae438e5816fdc65ab7e26e20a66d983

    Download Submit

  • memory/616-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

    Download

  • memory/616-57-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/616-56-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/616-59-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download