e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe
Size

1.0MB
MD5

a04f93978a3f28e28fcfb19fbf2dac5a
SHA1

15c804e499f8ab46a377e50674c0e0df31282ce6
SHA256

e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c
SHA512

0330ad98907293a668cfed90c9f52df67b30c53bbe97dea0abd2d1e01e3baf98553e96c7794ef3bceeb42e285f78a15c2aa5d6d8b322f44ba12ab791b60a053b
SSDEEP

12288:j5ORcHoQppTTq1T/gS4IAQsCV6HW/2gmz3Kg4Di5LoUv1UpsSRwKIg:jIJkqt/gDkV6HJfzag4DiloU9UpsEwU

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1464	pRKjGE.exe
1784	lsass.exe
1600	lsass.exe
1628	lsass.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/588-64-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/588-66-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/588-67-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/588-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/588-71-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/588-74-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1488-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1488-82-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1488-79-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1488-78-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1488-83-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1488-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1952-103-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/296-118-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/588-119-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1544	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe
1488	svchost.exe
1952	svchost.exe
296	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 588	1464	pRKjGE.exe	27
PID 588 set thread context of 1488	588	svchost.exe	28
PID 588 set thread context of 1952	588	svchost.exe	30
PID 588 set thread context of 296	588	svchost.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1464	pRKjGE.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	svchost.exe
Token: SeDebugPrivilege	1952	svchost.exe
Token: SeDebugPrivilege	296	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
588	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1464	1544	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	26
PID 1544 wrote to memory of 1464	1544	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	26
PID 1544 wrote to memory of 1464	1544	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	26
PID 1544 wrote to memory of 1464	1544	e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe	26
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 1464 wrote to memory of 588	1464	pRKjGE.exe	27
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 588 wrote to memory of 1488	588	svchost.exe	28
PID 1488 wrote to memory of 1784	1488	svchost.exe	29
PID 1488 wrote to memory of 1784	1488	svchost.exe	29
PID 1488 wrote to memory of 1784	1488	svchost.exe	29
PID 1488 wrote to memory of 1784	1488	svchost.exe	29
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 588 wrote to memory of 1952	588	svchost.exe	30
PID 1952 wrote to memory of 1600	1952	svchost.exe	31
PID 1952 wrote to memory of 1600	1952	svchost.exe	31
PID 1952 wrote to memory of 1600	1952	svchost.exe	31
PID 1952 wrote to memory of 1600	1952	svchost.exe	31
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 588 wrote to memory of 296	588	svchost.exe	32
PID 296 wrote to memory of 1628	296	svchost.exe	33
PID 296 wrote to memory of 1628	296	svchost.exe	33
PID 296 wrote to memory of 1628	296	svchost.exe	33
PID 296 wrote to memory of 1628	296	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe
"C:\Users\Admin\AppData\Local\Temp\e7b70df76925ff1c7559bb526bf7f51ff2dc1c9219a3d169a64f51abac0d048c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe" "DycPrB"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
        5⤵
        Executes dropped EXE
        
        PID:1784
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
        5⤵
        Executes dropped EXE
        
        PID:1600
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
        5⤵
        Executes dropped EXE
        
        PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DycPrB

Filesize
5KB

MD5
91087de4aeacfe4036d445aae61b1394

SHA1
96538cf12ca5b06b4111b36fd4bf767f31cc960c

SHA256
513a456feab6f4da16014c7cfa698cae798b9879b0ceedcc60c63f4edf7c3d09

SHA512
d02c30db3f102d649da60ff94078e1ec68c721b8dfd74b5803feea98a2b8c94356a5bc5faa9877abeaab23776cd296d148b57e70d06adc5fcd05f9f8174fee12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fDwLmn.txt

Filesize
297KB

MD5
cfeae746f3979dcca90b9e287f18b80d

SHA1
c0823adeb638ad345602246c3496228e4085907a

SHA256
a30c582192ce2d81c27420ee169fd9f7d56feeca8ca19ee6ad6e36d2b32854a2

SHA512
17dd7807cf5b407c30b1dcf971bde8061e1d17f0a199cf16e24ba96f991bfabe4cee2531fc58f8bbf83a4dab6224962163c8d152fea4e9c1d1027c2845b82817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skPqYk.exe

Filesize
102KB

MD5
6b921948413e532e0cde806f4e9a5449

SHA1
6085ad2ab8324da09400e75081a2ba98de0b2a4f

SHA256
d0b0b68cbff33af198b7b7199202eb6f52d5f2b75d5070a4fcd7ad20b358e351

SHA512
263a24e0ab14718f5babfd1cf21522ee0edadda1822dddfc19f93933ff861cee6f033ca086e3594690cb4c2d89c9605c3ce43b4ed5769cee19d0c6dd8e860a79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\pRKjGE.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/296-118-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/588-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-119-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-67-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-66-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-63-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/588-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1488-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-82-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1952-103-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download