Overview

overview

9

Static

static

8

b0a45372fd...54.exe

windows7-x64

9

b0a45372fd...54.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    100s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 04:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b0a45372fd61daa93a4159e1b517cde8895dad26bb0f5c907f49502b6f5bf454.exe

  • Size

    24KB

  • MD5

    ae741b8664c23c6d9ae0b33da762f66f

  • SHA1

    93fb5060e0b26ad10eed4e8ac124d59cbd38f339

  • SHA256

    b0a45372fd61daa93a4159e1b517cde8895dad26bb0f5c907f49502b6f5bf454

  • SHA512

    5a6630ce86129069f713e717d4ebaebd80e5acf20ff82d68b25ebfe05731921a9b448a92b987dad7b706aed3352e462fa7b2d67be61b12aff9fa82c4891ba75e

  • SSDEEP

    384:9dudjWtQouEU2+ZfEnOrqnTksPvVGk2IjHs2XtbK6wkqYv:9YsnBCZfEOrqngO2IjHlNK62O

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0a45372fd61daa93a4159e1b517cde8895dad26bb0f5c907f49502b6f5bf454.exe
    "C:\Users\Admin\AppData\Local\Temp\b0a45372fd61daa93a4159e1b517cde8895dad26bb0f5c907f49502b6f5bf454.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B0A453~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:1048

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\56BC86C7.dll
          Filesize

          14KB

          MD5

          4668214dcddd658caf7cf07f9cd422a4

          SHA1

          5b7a7e035b64e30997eb9d84c3c201dc09652a36

          SHA256

          08e8ae6b557d0f56869c1aa6789b48735264a9416e0a594251714867de6667bb

          SHA512

          b982ba456b2cb5a5a5cbfb4aace6dc0102c0b43936f2f7df522d9dc16fef0e42831afa0fb0ac903188c80f3418740c87821c4aa854eaa63c69d1e4ee62874627

          Download Submit

        • memory/1648-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1648-55-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1648-56-0x00000000749F1000-0x00000000749F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1648-58-0x0000000010000000-0x000000001000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1648-60-0x0000000010000000-0x000000001000E000-memory.dmp

          Filesize

          56KB

          Download