8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe
Size

541KB
MD5

31b25ecd777f5cfc1602d97cd0c75d75
SHA1

e520b1bdb3841fe57ae070c13423ac87b2c2ecfd
SHA256

8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e
SHA512

1ba67db34873c729551cfb34228f18b4613a28b90f64dddf81541f54cb40359e92ac0c1a1807dc5c1b36072c0bc6f96f59349c5eee496bde887486f0ea30f919
SSDEEP

12288:lDKm7St/yUo7LWRX4U7iJmVd3DblL5y7ufSdAG2HvypW:MmU/yUo7LWRXPBrDblL5R6dA/5

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1920	Firefox Setup Stub 34.0.5.exe
1264	ProtectDLL.exe
1276	setup-stub.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00150000000054ab-55.dat	upx
behavioral1/files/0x00150000000054ab-57.dat	upx
behavioral1/files/0x00150000000054ab-61.dat	upx
behavioral1/files/0x00150000000054ab-60.dat	upx
behavioral1/files/0x00150000000054ab-59.dat	upx
behavioral1/memory/1920-76-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Loads dropped DLL 15 IoCs

pid	Process
1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe
1920	Firefox Setup Stub 34.0.5.exe
1920	Firefox Setup Stub 34.0.5.exe
1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe
1920	Firefox Setup Stub 34.0.5.exe
1276	setup-stub.exe
1276	setup-stub.exe
1276	setup-stub.exe
1276	setup-stub.exe
1276	setup-stub.exe
728	WerFault.exe
728	WerFault.exe
728	WerFault.exe
728	WerFault.exe
728	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
728	1264	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1264	ProtectDLL.exe
Token: SeSecurityPrivilege	1264	ProtectDLL.exe
Token: SeSecurityPrivilege	1264	ProtectDLL.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1920	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	28
PID 1896 wrote to memory of 1264	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	29
PID 1896 wrote to memory of 1264	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	29
PID 1896 wrote to memory of 1264	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	29
PID 1896 wrote to memory of 1264	1896	8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe	29
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1920 wrote to memory of 1276	1920	Firefox Setup Stub 34.0.5.exe	30
PID 1264 wrote to memory of 728	1264	ProtectDLL.exe	31
PID 1264 wrote to memory of 728	1264	ProtectDLL.exe	31
PID 1264 wrote to memory of 728	1264	ProtectDLL.exe	31

C:\Users\Admin\AppData\Local\Temp\8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe
"C:\Users\Admin\AppData\Local\Temp\8854eb9bb6d67e46c6ac0357047274b6f7338ceb602cfc3d991d0bd6b560862e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1276
- C:\Users\Admin\AppData\Local\Temp\ProtectDLL.exe
  "C:\Users\Admin\AppData\Local\Temp\ProtectDLL.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1264 -s 600
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe

Filesize
1014KB

MD5
12925c7139d00db67b41f9f7716e5038

SHA1
c138304dfa1af7c289e44cc2199ef34c3e14fa12

SHA256
6577ebe5b6f77b2100c102a9fdb626b70c56a884b6d058dcebacb4d319dd951a

SHA512
ef440a33dcf8709f4c13c4c7393ca1d061fb16a5d6bacfc6c3ee77c2186686ac5b756e67d5a99c82d9f9f3e3a1215424778843397d541a90b1b25bdc7a33ed0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe

Filesize
1014KB

MD5
12925c7139d00db67b41f9f7716e5038

SHA1
c138304dfa1af7c289e44cc2199ef34c3e14fa12

SHA256
6577ebe5b6f77b2100c102a9fdb626b70c56a884b6d058dcebacb4d319dd951a

SHA512
ef440a33dcf8709f4c13c4c7393ca1d061fb16a5d6bacfc6c3ee77c2186686ac5b756e67d5a99c82d9f9f3e3a1215424778843397d541a90b1b25bdc7a33ed0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe

Filesize
238KB

MD5
7d109ecd57186a8a056d44a200d4c98b

SHA1
e15bbd7800dea60bacc1b7c86759dad5b85e74f9

SHA256
1d95c36a600ad2fe7296071e8eae859477c8f960db46e6b7e46f2be722ed1a13

SHA512
f0cf0575b3ab3754dbe307f4214278f840e540e9d48196ddf9f246ff4d3043f3552849bb1adfaac560afaa62e2df67d2c2148801181e51a814b2d50fb178405d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe

Filesize
238KB

MD5
7d109ecd57186a8a056d44a200d4c98b

SHA1
e15bbd7800dea60bacc1b7c86759dad5b85e74f9

SHA256
1d95c36a600ad2fe7296071e8eae859477c8f960db46e6b7e46f2be722ed1a13

SHA512
f0cf0575b3ab3754dbe307f4214278f840e540e9d48196ddf9f246ff4d3043f3552849bb1adfaac560afaa62e2df67d2c2148801181e51a814b2d50fb178405d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe

Filesize
1014KB

MD5
12925c7139d00db67b41f9f7716e5038

SHA1
c138304dfa1af7c289e44cc2199ef34c3e14fa12

SHA256
6577ebe5b6f77b2100c102a9fdb626b70c56a884b6d058dcebacb4d319dd951a

SHA512
ef440a33dcf8709f4c13c4c7393ca1d061fb16a5d6bacfc6c3ee77c2186686ac5b756e67d5a99c82d9f9f3e3a1215424778843397d541a90b1b25bdc7a33ed0b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe

Filesize
1014KB

MD5
12925c7139d00db67b41f9f7716e5038

SHA1
c138304dfa1af7c289e44cc2199ef34c3e14fa12

SHA256
6577ebe5b6f77b2100c102a9fdb626b70c56a884b6d058dcebacb4d319dd951a

SHA512
ef440a33dcf8709f4c13c4c7393ca1d061fb16a5d6bacfc6c3ee77c2186686ac5b756e67d5a99c82d9f9f3e3a1215424778843397d541a90b1b25bdc7a33ed0b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF632.tmp\setup-stub.exe

Filesize
1014KB

MD5
12925c7139d00db67b41f9f7716e5038

SHA1
c138304dfa1af7c289e44cc2199ef34c3e14fa12

SHA256
6577ebe5b6f77b2100c102a9fdb626b70c56a884b6d058dcebacb4d319dd951a

SHA512
ef440a33dcf8709f4c13c4c7393ca1d061fb16a5d6bacfc6c3ee77c2186686ac5b756e67d5a99c82d9f9f3e3a1215424778843397d541a90b1b25bdc7a33ed0b

Download Submit
\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe

Filesize
238KB

MD5
7d109ecd57186a8a056d44a200d4c98b

SHA1
e15bbd7800dea60bacc1b7c86759dad5b85e74f9

SHA256
1d95c36a600ad2fe7296071e8eae859477c8f960db46e6b7e46f2be722ed1a13

SHA512
f0cf0575b3ab3754dbe307f4214278f840e540e9d48196ddf9f246ff4d3043f3552849bb1adfaac560afaa62e2df67d2c2148801181e51a814b2d50fb178405d

Download Submit
\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe

Filesize
238KB

MD5
7d109ecd57186a8a056d44a200d4c98b

SHA1
e15bbd7800dea60bacc1b7c86759dad5b85e74f9

SHA256
1d95c36a600ad2fe7296071e8eae859477c8f960db46e6b7e46f2be722ed1a13

SHA512
f0cf0575b3ab3754dbe307f4214278f840e540e9d48196ddf9f246ff4d3043f3552849bb1adfaac560afaa62e2df67d2c2148801181e51a814b2d50fb178405d

Download Submit
\Users\Admin\AppData\Local\Temp\Firefox Setup Stub 34.0.5.exe

Filesize
238KB

MD5
7d109ecd57186a8a056d44a200d4c98b

SHA1
e15bbd7800dea60bacc1b7c86759dad5b85e74f9

SHA256
1d95c36a600ad2fe7296071e8eae859477c8f960db46e6b7e46f2be722ed1a13

SHA512
f0cf0575b3ab3754dbe307f4214278f840e540e9d48196ddf9f246ff4d3043f3552849bb1adfaac560afaa62e2df67d2c2148801181e51a814b2d50fb178405d

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectDLL.exe

Filesize
385KB

MD5
d9e50d24eb89c82dcce3fcc0a4781ba3

SHA1
fd7697cfd05b4c7d467da6bd7aa86cdef0762b76

SHA256
e5e6adc57e1025c05bcf6622083feece3f988b4b03038def731a3abcaf025667

SHA512
5e1715c702b700f90b980c102290b8c324ae44132d9b67a33d7ef78d89915ebb1ed208da876b2987112f2e8e91cab3eb7763e04e87ac808cba8ab95f0c74bf4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF807.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF807.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF807.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
memory/728-81-0x0000000000000000-mapping.dmp

Download
memory/1264-78-0x000000013F240000-0x000000013F2A6000-memory.dmp

Filesize
408KB

Download
memory/1264-79-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1264-80-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1264-63-0x0000000000000000-mapping.dmp

Download
memory/1276-67-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1920-77-0x0000000000240000-0x0000000000269000-memory.dmp

Filesize
164KB

Download
memory/1920-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1920-56-0x0000000000000000-mapping.dmp

Download