5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da

Analysis

max time kernel
181s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe
Size

46KB
MD5

3e67ce06b48f671249e9f1dce542d25b
SHA1

7570fbfec29595c95634dc09a7f9cdd431c5dcdb
SHA256

5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da
SHA512

6cfd93f78f2e0519f8c1275e211a2cc97a06a4c523efc6c1c24c69eac500fc084f4d9cb91af145b6c20eaf6c08f35447cd5ee4a7d46be75883f335794537c31d
SSDEEP

768:rvZTjc4khCjTRJGF7W/pbMfbpMeKHT1YAa62O8WsAN7dyJu2SFR:bZTGaVgF7W/pbMfbpHM1Yk2OyAuJu5

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3776-133-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1656	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1112	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4344	3776	5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe	79
PID 3776 wrote to memory of 4344	3776	5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe	79
PID 3776 wrote to memory of 4344	3776	5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe	79
PID 4344 wrote to memory of 5060	4344	cmd.exe	81
PID 4344 wrote to memory of 5060	4344	cmd.exe	81
PID 4344 wrote to memory of 5060	4344	cmd.exe	81
PID 4344 wrote to memory of 2184	4344	cmd.exe	82
PID 4344 wrote to memory of 2184	4344	cmd.exe	82
PID 4344 wrote to memory of 2184	4344	cmd.exe	82
PID 4344 wrote to memory of 4212	4344	cmd.exe	83
PID 4344 wrote to memory of 4212	4344	cmd.exe	83
PID 4344 wrote to memory of 4212	4344	cmd.exe	83
PID 4344 wrote to memory of 1112	4344	cmd.exe	84
PID 4344 wrote to memory of 1112	4344	cmd.exe	84
PID 4344 wrote to memory of 1112	4344	cmd.exe	84
PID 4344 wrote to memory of 1656	4344	cmd.exe	85
PID 4344 wrote to memory of 1656	4344	cmd.exe	85
PID 4344 wrote to memory of 1656	4344	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe
"C:\Users\Admin\AppData\Local\Temp\5224d1f933ccfbd1567284d2f316ce9f835d2d8fbd920581de1357209eca26da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\downsetup.bat" > NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:c:\163\ftp.txt
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:c:\163\copy.txt
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:c:\163\down.txt
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 500 0.0.0.1
    3⤵
    - Runs ping.exe
    PID:1112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mshta.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\downsetup.bat

Filesize
2KB

MD5
aadd0a1cf4862c3ec665e00b6a7ef185

SHA1
60a2559027276874da81f5f708ea024c00b415db

SHA256
c55b2691a110f599350d32dcc34a6b0c0bc15727a7067ce1903777bd5bb20c8b

SHA512
50417820946ee169605e025a1103ad0c679fff91b93f56bd3e5b0948b0a003195b66a0473edc43efcbe92d65fa349c559a77ff13d711edb89771a25c71f3700b

Download Submit
\??\c:\163\ftp.txt

Filesize
282B

MD5
8b3d85819401e168646e705a262dd6e4

SHA1
1c5a810dfed73eaae7940cf521387cdd8d3bf1c2

SHA256
f1d307dfc4eb83823ca4c3663cdb8fc74ad241cc7fdb03627b8a53e2ef5b4f96

SHA512
a5886778d13eb2e9898440a51e26be3db80eb2d78f926b1eefa559cdc073ab1b4c4b0bac3386cb2d1945608cf64f945b276702baf521e4e93d6d79da1e4e5c0f

Download Submit
memory/3776-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download