b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
Size

335KB
MD5

3123850b28df13cc3563713cb64caef5
SHA1

d44eab7bf6067f3618c5aa9ac9e7a83a7127143f
SHA256

b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481
SHA512

2dad171e4e6c909080d299be105d39fc126840509908a7be981db5a6721c62f01bedccb2bcd73f3e9445bc5a1b1b72211221634c77906f712d7d0b3ecdde2f69
SSDEEP

6144:ZbXE9OiTGfhEClq9Zd6cdURGBFphMn3k/NEXWGHAcRUoCR:hU9XiuiywGFpqn3k/NuVnk

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	i12.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012304-58.dat	upx
behavioral1/files/0x0008000000012304-57.dat	upx
behavioral1/files/0x0008000000012304-60.dat	upx
behavioral1/memory/1916-63-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x0008000000012304-67.dat	upx
behavioral1/files/0x0008000000012304-66.dat	upx
behavioral1/files/0x0008000000012304-68.dat	upx
behavioral1/memory/1916-69-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt1.jpg	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
File opened for modification	C:\Program Files (x86)\ololo\i12.exe	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
File opened for modification	C:\Program Files (x86)\ololo\test3.bat	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
File opened for modification	C:\Program Files (x86)\ololo\p.txt	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
File opened for modification	C:\Program Files (x86)\ololo\ku4uqt1.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1532	1916	WerFault.exe	30

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
556	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 584	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	28
PID 1720 wrote to memory of 584	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	28
PID 1720 wrote to memory of 584	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	28
PID 1720 wrote to memory of 584	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	28
PID 1720 wrote to memory of 1916	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	30
PID 1720 wrote to memory of 1916	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	30
PID 1720 wrote to memory of 1916	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	30
PID 1720 wrote to memory of 1916	1720	b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe	30
PID 1916 wrote to memory of 1532	1916	i12.exe	34
PID 1916 wrote to memory of 1532	1916	i12.exe	34
PID 1916 wrote to memory of 1532	1916	i12.exe	34
PID 1916 wrote to memory of 1532	1916	i12.exe	34

C:\Users\Admin\AppData\Local\Temp\b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
"C:\Users\Admin\AppData\Local\Temp\b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\ololo\test3.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:584
- C:\Program Files (x86)\ololo\i12.exe
  "C:\Program Files (x86)\ololo\i12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
C:\Program Files (x86)\ololo\ku4uqt1.jpg

Filesize
51KB

MD5
b0f288f8053aa9f457c1dc867f2e3a26

SHA1
40103a7b0390bfe773414b37a8a0481f1d334ea9

SHA256
bda6429b629f34f3549518b0a5c2262eb3aa1eb74a1e5c472f97effd32c032f6

SHA512
bad571efb5b4fa3eac1f47308760199b68b042e06d5a69963366c5fa2250b1b3cff69bd659e11b5cfc976fef4def282aa386f3b8a32ff9e2a4f8ced616b1b569

Download Submit
C:\Program Files (x86)\ololo\p.txt

Filesize
2B

MD5
3416a75f4cea9109507cacd8e2f2aefc

SHA1
761f22b2c1593d0bb87e0b606f990ba4974706de

SHA256
3d914f9348c9cc0ff8a79716700b9fcd4d2f3e711608004eb8f138bcba7f14d9

SHA512
e145ddd4c63521bd646145211682ea52dff04e67e79889fab04613dc7b6693368af53eb483dd22d278f6aa21bf180b1c83a1e3130e612f5722e50f11af694842

Download Submit
C:\Program Files (x86)\ololo\test3.bat

Filesize
13KB

MD5
57b0c7259deb7b8baab290749af0c0f3

SHA1
612a22058e1c24f767e2fa5e6bc3d43d7f5b0f6d

SHA256
e13382cda584a4d2a38e7659e13d1343097c2a17d72d9b2489fa6d29f08f690f

SHA512
93c41867574b4b28150d3897ab153df3913c08aa713b519b25c6ba819dc3a65183da643cda3d48c14aace7dabcb09d297ccc5e1c814ba9249d873f7a29992b60

Download Submit
\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
\Program Files (x86)\ololo\i12.exe

Filesize
103KB

MD5
a37e8b3ae5d350aa0932b10ed8d4ef2e

SHA1
82dc374225ab3c69d57fddf7c205bf4f3646ee1f

SHA256
4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

SHA512
4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

Download Submit
memory/1720-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1916-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download