38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c

Analysis

max time kernel
314s
max time network
444s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
Size

460KB
MD5

5ea129b89440008e1e26ec68000d041b
SHA1

6e7203625e657415245e4344df8d2cf31fd66cf0
SHA256

38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c
SHA512

110c8caa5ed67705ec12b8bc764bc84455e5a14ae410ebac300eee21b29664c2c3ae188aca3a9d01aeb1bf64c300be19279d57b90102c00a3d5050dc1d2eb714
SSDEEP

12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
668	iBdqphzke5.exe
824	astat.exe
2268	astat.exe
3916	dstat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-145-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2268-148-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2268-149-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2268-150-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 2268	824	astat.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	astat.exe
2268	astat.exe
668	iBdqphzke5.exe
668	iBdqphzke5.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe
2268	astat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
668	iBdqphzke5.exe
824	astat.exe
3916	dstat.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 668	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	80
PID 4420 wrote to memory of 668	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	80
PID 4420 wrote to memory of 668	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	80
PID 4420 wrote to memory of 824	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	83
PID 4420 wrote to memory of 824	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	83
PID 4420 wrote to memory of 824	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	83
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 824 wrote to memory of 2268	824	astat.exe	84
PID 4420 wrote to memory of 3916	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	85
PID 4420 wrote to memory of 3916	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	85
PID 4420 wrote to memory of 3916	4420	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	85

C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
"C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\iBdqphzke5.exe
  C:\Users\Admin\iBdqphzke5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Users\Admin\astat.exe
  C:\Users\Admin\astat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\astat.exe
    "C:\Users\Admin\astat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Users\Admin\dstat.exe
  C:\Users\Admin\dstat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
C:\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
memory/2268-149-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2268-150-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2268-148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2268-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download