1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
Size

84KB
MD5

2c0638e54927d3af92d81b9bc4cb3f60
SHA1

f48d69aaa7b4ccd03d95f500f97e287ac2c7297c
SHA256

1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f
SHA512

4f5a02c755c6511359d40a7b8c9f9ecc4124e948f3b0589a131c6e69abe746002e6a4d0ba4c31a66ca46ab09fa458f37864ca996e693497198322ff2bbb866d9
SSDEEP

1536:6wKKva3L9Q3N1s/B/gjHAl4wS1rILJrA4f4bAgL+CSGRQbgR8dN:6wLvab9GHsJ/54wSt0HCVLFlw

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4960	explorer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-132-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/files/0x000b000000022f44-134.dat	upx
behavioral2/files/0x000b000000022f44-135.dat	upx
behavioral2/memory/4960-136-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4200-140-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4960-141-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8970.lnk	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
4960	explorer.exe
4960	explorer.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\t:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\l:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\f:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\k:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\n:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\u:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\s:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\v:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\z:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\h:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\i:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\p:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\x:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\g:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\o:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\w:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\y:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\j:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\m:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\q:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\r:	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened (read-only)	\??\q:	explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\uiui8.dll	explorer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	explorer.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
File opened for modification	C:\Program Files (x86)\Common Files\uiui8.dll	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
Token: SeLoadDriverPrivilege	4960	explorer.exe
Token: SeDebugPrivilege	4960	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4960	explorer.exe
4960	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4960	4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe	80
PID 4200 wrote to memory of 4960	4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe	80
PID 4200 wrote to memory of 4960	4200	1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe	80

C:\Users\Admin\AppData\Local\Temp\1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe
"C:\Users\Admin\AppData\Local\Temp\1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe

Filesize
84KB

MD5
2c0638e54927d3af92d81b9bc4cb3f60

SHA1
f48d69aaa7b4ccd03d95f500f97e287ac2c7297c

SHA256
1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f

SHA512
4f5a02c755c6511359d40a7b8c9f9ecc4124e948f3b0589a131c6e69abe746002e6a4d0ba4c31a66ca46ab09fa458f37864ca996e693497198322ff2bbb866d9

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe

Filesize
84KB

MD5
2c0638e54927d3af92d81b9bc4cb3f60

SHA1
f48d69aaa7b4ccd03d95f500f97e287ac2c7297c

SHA256
1e28bb76379081e670d879e5c43aedfdd38c41828fe8b57b9c062eed83c2bb9f

SHA512
4f5a02c755c6511359d40a7b8c9f9ecc4124e948f3b0589a131c6e69abe746002e6a4d0ba4c31a66ca46ab09fa458f37864ca996e693497198322ff2bbb866d9

Download Submit
C:\Program Files (x86)\Common Files\uiui8.dll

Filesize
17KB

MD5
90b1f2289c3121611de1b47a54803e38

SHA1
8c1a78e9e777072aa60c365feb94b4eaee93ee8a

SHA256
28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

SHA512
216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

Download Submit
C:\Program Files (x86)\Common Files\uiui8.dll

Filesize
17KB

MD5
90b1f2289c3121611de1b47a54803e38

SHA1
8c1a78e9e777072aa60c365feb94b4eaee93ee8a

SHA256
28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

SHA512
216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

Download Submit
memory/4200-132-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4200-140-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4960-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4960-139-0x00000000004B1000-0x00000000004B5000-memory.dmp

Filesize
16KB

Download
memory/4960-141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download