Overview

overview

8

Static

static

6854daefcb...7b.exe

windows7-x64

8

6854daefcb...7b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    190s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6854daefcb6bf04e35ccdb1bf08ce75315a3fc8bb19d0182a7eddd5bfe4ead7b.exe

  • Size

    2.0MB

  • MD5

    1ef927006683a9187cc55c8efe36e256

  • SHA1

    bccb3687d7ce6caa1c8c6d1ee21e99aca9acf21c

  • SHA256

    6854daefcb6bf04e35ccdb1bf08ce75315a3fc8bb19d0182a7eddd5bfe4ead7b

  • SHA512

    0d76cf765eaeaef62f104fc9c6b2d9bb2a401c39e72df7fb2199b2348b5b3f482725f098125b6d443f0dcccef2aa495126a5b1e025be0df1b9b52ceec67d87b4

  • SSDEEP

    24576:uBoJKz7+Ze0/r2PEw55c2wTYs42cYbDyGWBVGZu8BlscURb+bo98Ef1gFIo4KGqI:upz7G2PxJhAyGWv4uAA+cRgFIAG2SWs

Score
8/10
upxvmprotect

Malware Config

Signatures

  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6854daefcb6bf04e35ccdb1bf08ce75315a3fc8bb19d0182a7eddd5bfe4ead7b.exe
    "C:\Users\Admin\AppData\Local\Temp\6854daefcb6bf04e35ccdb1bf08ce75315a3fc8bb19d0182a7eddd5bfe4ead7b.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cnlna.com/
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffcf89c46f8,0x7ffcf89c4708,0x7ffcf89c4718
        3⤵
          PID:4496
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2620,4330123580745304141,2168127826326532111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2
          3⤵
            PID:1140
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2620,4330123580745304141,2168127826326532111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2760 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:5068
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2620,4330123580745304141,2168127826326532111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:8
            3⤵
              PID:4324
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /u /s C:\Windows\system32\SuperEC_Hook.dll
            2⤵
            • Loads dropped DLL
            PID:4716
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:4592

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\SuperEC_Hook.dll
            Filesize

            368KB

            MD5

            6446f02463634295797ff698eb7eb92e

            SHA1

            64a20417acf7c9bd67efc601236c85fa640426a8

            SHA256

            53022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33

            SHA512

            eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe

            Download Submit

          • C:\Windows\SysWOW64\SuperEC_Hook.dll
            Filesize

            368KB

            MD5

            6446f02463634295797ff698eb7eb92e

            SHA1

            64a20417acf7c9bd67efc601236c85fa640426a8

            SHA256

            53022e175ff09af40a8569a641a261ed08dabc7331afbdde97f2f3d6f9321b33

            SHA512

            eeeb4152b92f9c4cad35d596f6fdec8d4e26b93c1a71627007ce5e490c46bd7773cc65309645ace429467b335fea5fe33cb5aac4cf507367cd9ad72a1b9efbfe

            Download Submit

          • \??\pipe\LOCAL\crashpad_3952_BBMQLUQPUGYUPQOP
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit

          • memory/1140-184-0x0000000000000000-mapping.dmp

            Download

          • memory/3952-176-0x0000000000000000-mapping.dmp

            Download

          • memory/4324-188-0x0000000000000000-mapping.dmp

            Download

          • memory/4496-177-0x0000000000000000-mapping.dmp

            Download

          • memory/4716-181-0x0000000016080000-0x0000000016152000-memory.dmp

            Filesize

            840KB

            Download

          • memory/4716-178-0x0000000000000000-mapping.dmp

            Download

          • memory/4876-146-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-174-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-152-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-154-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-156-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-158-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-160-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-162-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-164-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-166-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-168-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-170-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-172-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-150-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-175-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-148-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-132-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-144-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-142-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-140-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-138-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-136-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-133-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4876-134-0x0000000010000000-0x000000001003F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5068-185-0x0000000000000000-mapping.dmp

            Download