Overview

overview

8

Static

static

8

EZDJ_P~1.exe

windows7-x64

7

EZDJ_P~1.exe

windows10-2004-x64

7

NEWAUT~1.exe

windows7-x64

8

NEWAUT~1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 06:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEWAUT~1.exe

  • Size

    337KB

  • MD5

    042f1e715fc864c28e2ab52d19c6f76e

  • SHA1

    8e1962952826639ec48b077609558b3528c6eb35

  • SHA256

    27a695e1ea6169447ed5f03e06ed5fe339a437bac604abf95a1036dfcc2bb1b5

  • SHA512

    50596d252c5bcfdf9f8522ca1b124e00a90b259b4fce93df8d93a9c0cfb02becdfef90b59243073cf6c4d612a9e3197658a6a9a370d51339a836016909876672

  • SSDEEP

    6144:ElZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lLI7JAf2ekPQtyj:EHLUMuiv9RgfSjAzRtymJAiPA6

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEWAUT~1.exe
    "C:\Users\Admin\AppData\Local\Temp\NEWAUT~1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp/server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        C:\Users\Admin\AppData\Local\Temp\server.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3276
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2932

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\server.exe
            Filesize

            59KB

            MD5

            221b7a0d98ca5ee8702556c048bc26b0

            SHA1

            43ce96f1c512370e4886b812c660b75db962d81a

            SHA256

            27c38575d2315ebb27077fa6499e7818826323244d51e1745b3faf0b35805b64

            SHA512

            f1c89cdad7cdfafb3c501789c31b5b0687c0b29493254f6bb23157adf65eefab217324998aca410d51e3881ddde922fc52d4d1b5075a7946855928c3921f5c98

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\server.exe
            Filesize

            59KB

            MD5

            221b7a0d98ca5ee8702556c048bc26b0

            SHA1

            43ce96f1c512370e4886b812c660b75db962d81a

            SHA256

            27c38575d2315ebb27077fa6499e7818826323244d51e1745b3faf0b35805b64

            SHA512

            f1c89cdad7cdfafb3c501789c31b5b0687c0b29493254f6bb23157adf65eefab217324998aca410d51e3881ddde922fc52d4d1b5075a7946855928c3921f5c98

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\server.exe
            Filesize

            59KB

            MD5

            221b7a0d98ca5ee8702556c048bc26b0

            SHA1

            43ce96f1c512370e4886b812c660b75db962d81a

            SHA256

            27c38575d2315ebb27077fa6499e7818826323244d51e1745b3faf0b35805b64

            SHA512

            f1c89cdad7cdfafb3c501789c31b5b0687c0b29493254f6bb23157adf65eefab217324998aca410d51e3881ddde922fc52d4d1b5075a7946855928c3921f5c98

            Download Submit

          • memory/2932-142-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3276-138-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3276-141-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3276-143-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3276-144-0x0000000010000000-0x0000000010013000-memory.dmp

            Filesize

            76KB

            Download

          • memory/3916-132-0x0000000000400000-0x00000000004B8000-memory.dmp

            Filesize

            736KB

            Download

          • memory/3916-136-0x0000000000400000-0x00000000004B8000-memory.dmp

            Filesize

            736KB

            Download