5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224

Analysis

max time kernel
40s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
Size

1.5MB
MD5

453afe4eca786c6d47d03b54f07db3e5
SHA1

dca6c30a1e197d396832629910df2a21e04d3c93
SHA256

5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224
SHA512

c29ee0ca4633a6cd1f8c66a89f9bf985d968ccbfe42aef442e38b225b5484f7ace462fffcf91d6abf65a0810f00636a4cd837161cfe3317f30c18057eb61005a
SSDEEP

24576:7hvedoghZOpAx6i/XSoxQX9NgTq3WaplDjAhnyY78EJ3jtk5WbQRizm5Enao1N:lezZOKxj6LX823WWlDUd5k5Wb6izuEnb

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

dnfDS.exeWinHelp32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	dnfDS.exe
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	WinHelp32.exe

Executes dropped EXE 4 IoCs

Processes:

dnfZS.EXEdnfA002.exednfDS.exeWinHelp32.exe

pid process

1840 dnfZS.EXE
1324 dnfA002.exe
1240 dnfDS.exe
1604 WinHelp32.exe

pid	process
1840	dnfZS.EXE
1324	dnfA002.exe
1240	dnfDS.exe
1604	WinHelp32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dnfDS.exe	upx
C:\Users\Admin\AppData\Local\Temp\dnfDS.exe	upx
\Users\Admin\AppData\Local\Temp\dnfDS.exe	upx
C:\Users\Admin\AppData\Local\Temp\dnfDS.exe	upx
behavioral1/memory/1240-74-0x0000000000400000-0x000000000040E000-memory.dmp	upx
\Windows\SysWOW64\WinHelp32.exe	upx
\Windows\SysWOW64\WinHelp32.exe	upx
C:\Windows\SysWOW64\WinHelp32.exe	upx
C:\Windows\SysWOW64\WinHelp32.exe	upx
behavioral1/memory/1240-82-0x0000000000260000-0x000000000026E000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exednfA002.exednfDS.exe

pid	process
1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
1324	dnfA002.exe
1324	dnfA002.exe
1324	dnfA002.exe
1240	dnfDS.exe
1240	dnfDS.exe

Drops file in System32 directory 3 IoCs

Processes:

dnfDS.exeWinHelp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinHelp32.exe	dnfDS.exe
File opened for modification	C:\Windows\SysWOW64\WinHelp32.exe	dnfDS.exe
File created	C:\Windows\SysWOW64\WinHelp32.exe	WinHelp32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dnfDS.exeWinHelp32.exe

description pid process

Token: SeIncBasePriorityPrivilege 1240 dnfDS.exe
Token: SeIncBasePriorityPrivilege 1604 WinHelp32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1240	dnfDS.exe
Token: SeIncBasePriorityPrivilege	1604	WinHelp32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exednfDS.exe

description	pid	process	target process
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1840	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfZS.EXE
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1324	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfA002.exe
PID 1352 wrote to memory of 1240	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfDS.exe
PID 1352 wrote to memory of 1240	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfDS.exe
PID 1352 wrote to memory of 1240	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfDS.exe
PID 1352 wrote to memory of 1240	1352	5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe	dnfDS.exe
PID 1240 wrote to memory of 1604	1240	dnfDS.exe	WinHelp32.exe
PID 1240 wrote to memory of 1604	1240	dnfDS.exe	WinHelp32.exe
PID 1240 wrote to memory of 1604	1240	dnfDS.exe	WinHelp32.exe
PID 1240 wrote to memory of 1604	1240	dnfDS.exe	WinHelp32.exe

C:\Users\Admin\AppData\Local\Temp\5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe
"C:\Users\Admin\AppData\Local\Temp\5c4de4d2ed17cb40c67702d9a066cacfbf094361ab66910c4601d95840806224.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE
"C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE"
2⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\dnfA002.exe
"C:\Users\Admin\AppData\Local\Temp\dnfA002.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324

C:\Users\Admin\AppData\Local\Temp\dnfDS.exe
"C:\Users\Admin\AppData\Local\Temp\dnfDS.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WinHelp32.exe
"C:\Windows\system32\WinHelp32.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WINHEL~1.EXE > nul
4⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\dnfDS.exe > nul
3⤵
PID:1212

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfDS.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfDS.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE
Filesize
1.3MB

MD5
4e6fa6153efdbb03d5b112a9f3c94331

SHA1
3ae461f627d1e1d4e308bc9e4d0598cb622584a4

SHA256
df42f73857e3aae967f986a501ea01cec7009863785aaa08df0d2e12c30237e1

SHA512
d4e0ad754c2639a38d0e19a0abd1221fb8b3b7ae7d63d8528eda8b3ad6e183b0132ec8e40397baca2ee019fe000a5dafd6d1121c651b081a855bdf9e247493bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfZS.EXE
Filesize
1.3MB

MD5
4e6fa6153efdbb03d5b112a9f3c94331

SHA1
3ae461f627d1e1d4e308bc9e4d0598cb622584a4

SHA256
df42f73857e3aae967f986a501ea01cec7009863785aaa08df0d2e12c30237e1

SHA512
d4e0ad754c2639a38d0e19a0abd1221fb8b3b7ae7d63d8528eda8b3ad6e183b0132ec8e40397baca2ee019fe000a5dafd6d1121c651b081a855bdf9e247493bd

Download Submit
C:\Windows\SysWOW64\WinHelp32.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
C:\Windows\SysWOW64\WinHelp32.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
C:\Windows\SysWOW64\drivers\PCIDump.sys
Filesize
4KB

MD5
d058dd1757e857d2cf1afcadce95a521

SHA1
3d5563ce8e7a11110d238b25711a176a63bfb703

SHA256
a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d

SHA512
748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44

Download Submit
\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
\Users\Admin\AppData\Local\Temp\dnfA002.exe
Filesize
104KB

MD5
d8cb66ac7938e593a4387ef7957a7536

SHA1
4b36e5d8884cee1e9cb7d3c0aa742fac9781a365

SHA256
7b48b3f44be9089772b1f8588c2df05c5a5caf249ed6e77d90172a8b780313b5

SHA512
8d45f9808deeb47d5534de88f3be2e22171a6d8dd0a49105d5dcf2065aff4a31a505fbf2d9d1b4d94b9575397e0f3436d1b69603d6b5ffacbbc7b177cde02823

Download Submit
\Users\Admin\AppData\Local\Temp\dnfDS.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
\Users\Admin\AppData\Local\Temp\dnfDS.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
\Users\Admin\AppData\Local\Temp\dnfZS.EXE
Filesize
1.3MB

MD5
4e6fa6153efdbb03d5b112a9f3c94331

SHA1
3ae461f627d1e1d4e308bc9e4d0598cb622584a4

SHA256
df42f73857e3aae967f986a501ea01cec7009863785aaa08df0d2e12c30237e1

SHA512
d4e0ad754c2639a38d0e19a0abd1221fb8b3b7ae7d63d8528eda8b3ad6e183b0132ec8e40397baca2ee019fe000a5dafd6d1121c651b081a855bdf9e247493bd

Download Submit
\Windows\SysWOW64\WinHelp32.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
\Windows\SysWOW64\WinHelp32.exe
Filesize
17KB

MD5
b7027825eac239fe4425461d9977cdf1

SHA1
d5791093a67b1ae47ffd0fd885a3d53d3f87bede

SHA256
a3bec589212b01e9d2fe6a369cc8266748179b68df7530b409880e3cf4a8bd54

SHA512
01bf11d6ff97458d88d1f44b692fab3eec968afcd5b42419c54c6a7ab6d84c0494199b33045c46786a8083420736a88106e7ce416d3d49c52a75c9389d61d0d5

Download Submit
memory/1240-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1240-65-0x0000000000000000-mapping.dmp

Download
memory/1240-82-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/1240-83-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1604-77-0x0000000000000000-mapping.dmp

Download
memory/1840-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads