f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8

Analysis

max time kernel
13s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
Size

575KB
MD5

64fe771b0930972d8533564f6832972b
SHA1

1857b45b4baa4a1cb86836638baeb1afb20c4101
SHA256

f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8
SHA512

2e1012267d41c663937b9b0fc131bb77048efdeae20771ba2e1de72692bcafff0497bdb4f3be581e918e9a1c4425ef2a78b72365e77af1c23fd8f483daceefbf
SSDEEP

12288:h6Wq4aaE6KwyF5L0Y2D1PqLR3SZ9kouHzip50lZ5xczBB3X:3thEVaPqLR3SZuouu55z33X

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-57-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/1844-59-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxFtNm.lnk	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1952-57-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe
behavioral1/memory/1844-59-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
1844	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1844	1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe	28
PID 1952 wrote to memory of 1844	1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe	28
PID 1952 wrote to memory of 1844	1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe	28
PID 1952 wrote to memory of 1844	1952	f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe	28

C:\Users\Admin\AppData\Local\Temp\f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
"C:\Users\Admin\AppData\Local\Temp\f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe
  C:\Users\Admin\AppData\Local\Temp\f5a56c99c78391bbcd20af7e8fd05bf99e30d87196372133cd624da55fff9af8.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
  2⤵
  - Drops startup file
  - Suspicious behavior: RenamesItself
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.bin

Filesize
290KB

MD5
190e5cbeb18d18f2fe9e0e9c71fb7ae5

SHA1
60dd3248c7896c82d39aed04e3308138cf10f401

SHA256
1f51c0911651b5a5017e4d1e38451a683ac67948462fed17076db01a8272e6c5

SHA512
31ac58c3a5c654a0cf635151516fc025438bf02e94fb4895c57e3f44c6e4e383c3420c5050a193e36a45ee1a21c7d6cbaa5348605b86c214fc7d1462d4e7b108

Download Submit
memory/1844-59-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1952-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1952-57-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download