b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3

Analysis

max time kernel
185s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
Size

149KB
MD5

6e5bdd25a4502fe0182191d0bf6b6e78
SHA1

212f6790d31a01335270cdaae9ccb32c7e6df339
SHA256

b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3
SHA512

744785092cb98d3b11cfa32422f8997d1d767986a7600bebe12f7b8d75885207baad06ed8141e1c4107f959278f4533718cb94b743709a476ab21d818d5961d2
SSDEEP

3072:otCB0WJV7lJS6YESryJrHBCSGjorcofYRxYv0supMU4HpNGh6NbWQRxi:nBvV7lJSp2BBmquh4HacVRxi

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXPlatformm.exe	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
File created	C:\Windows\SysWOW64\drivers\TXPlatformm.exe	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe

Executes dropped EXE 3 IoCs

pid	Process
1504	TXPlatformm.exe
584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1076	Au_.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1776-54-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/files/0x0007000000014b5d-58.dat	upx
behavioral1/files/0x0007000000014b5d-59.dat	upx
behavioral1/files/0x0007000000014b5d-61.dat	upx
behavioral1/memory/1504-64-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1776-65-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/files/0x0007000000014b5d-63.dat	upx
behavioral1/files/0x0002000000006c91-66.dat	upx
behavioral1/files/0x0002000000006c91-67.dat	upx
behavioral1/files/0x0002000000006c91-69.dat	upx
behavioral1/memory/584-72-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x0007000000014bf0-73.dat	upx
behavioral1/memory/584-76-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x0007000000014bf0-75.dat	upx
behavioral1/files/0x0007000000014bf0-78.dat	upx
behavioral1/memory/1076-83-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1964	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1964	cmd.exe
584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1076	Au_.exe
1076	Au_.exe
1076	Au_.exe
1076	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe
1504	TXPlatformm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	Au_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1964	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	27
PID 1776 wrote to memory of 1964	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	27
PID 1776 wrote to memory of 1964	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	27
PID 1776 wrote to memory of 1964	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	27
PID 1776 wrote to memory of 1504	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	29
PID 1776 wrote to memory of 1504	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	29
PID 1776 wrote to memory of 1504	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	29
PID 1776 wrote to memory of 1504	1776	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	29
PID 1964 wrote to memory of 584	1964	cmd.exe	30
PID 1964 wrote to memory of 584	1964	cmd.exe	30
PID 1964 wrote to memory of 584	1964	cmd.exe	30
PID 1964 wrote to memory of 584	1964	cmd.exe	30
PID 584 wrote to memory of 1076	584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	31
PID 584 wrote to memory of 1076	584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	31
PID 584 wrote to memory of 1076	584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	31
PID 584 wrote to memory of 1076	584	b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe	31

C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
"C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\9$$.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe
    "C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:1076
- C:\Windows\SysWOW64\drivers\TXPlatformm.exe
  C:\Windows\system32\drivers\TXPlatformm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9$$.bat

Filesize
677B

MD5
b9f2abb667e087e4d3b25b2db63a5c82

SHA1
f30ebda8aa096f299e6cf30b04e0e577ea892f6f

SHA256
1293099f4c80e3fce47ebd8bb6254c4b91938af1dfe81ee801f8e7a0da5412eb

SHA512
d49565e9573f9fda0f215427b66c2b12f7ee747b5847df4e03f40da127420d04997e905cd9bd76df71d8ce6a65859fad9115d22f3116e3ab4c2414b796676811

Download Submit
C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
C:\Windows\SysWOW64\drivers\TXPlatformm.exe

Filesize
77KB

MD5
90aefa53ae9588c4f32fffc7ff82d2f2

SHA1
8ee0605d93227d85704e00961e78b68b782a5475

SHA256
b093a684da6520a4caf9912e87265905c4fcb68e3ca6c810948af22a920fab79

SHA512
7f32a915e2656e902a4e3dda4d9795e6f3dc28a00e8f470585b3c8fc2618ed854d3d9cbe7aaabfde3a07d66807a5abf61de8e590eb9ec840f567b54ffff4b8cd

Download Submit
C:\Windows\SysWOW64\drivers\TXPlatformm.exe

Filesize
77KB

MD5
90aefa53ae9588c4f32fffc7ff82d2f2

SHA1
8ee0605d93227d85704e00961e78b68b782a5475

SHA256
b093a684da6520a4caf9912e87265905c4fcb68e3ca6c810948af22a920fab79

SHA512
7f32a915e2656e902a4e3dda4d9795e6f3dc28a00e8f470585b3c8fc2618ed854d3d9cbe7aaabfde3a07d66807a5abf61de8e590eb9ec840f567b54ffff4b8cd

Download Submit
\Users\Admin\AppData\Local\Temp\b04e6143577d3b6be232b3363739f0bcdca29060b8c87c14e00b64bdb85fddc3.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1631.tmp\GetVersion.dll

Filesize
5KB

MD5
c6910d6e78c2e5f9d57d0bc6d8f6b736

SHA1
a395099062298b3f3c015359b227ca02a72c6e2c

SHA256
b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b

SHA512
4cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10

Download Submit
\Users\Admin\AppData\Local\Temp\nso1631.tmp\InstallOptions.dll

Filesize
14KB

MD5
7af3ead73bedf48083d088228d99b200

SHA1
66123f71a8303951517748317a6a475e1154a7c7

SHA256
75ff58404f0211a16341aee2eeeb5c19afc8d7827a79b27c5aa501f53a0bad71

SHA512
9635319adb84555568356a63b7608fb1e7df74625d56ad1d43caa3048ef0cd8c39919c87d8ecf3841a7c770a7f2c5895239140969a23aeb7720fd03f402693b4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1631.tmp\System.dll

Filesize
10KB

MD5
0b96e50e5fd9b241435cfec46600b5a7

SHA1
1f79688c6bdd78b4e1812b110fd16d27c59b32d5

SHA256
10841d8d0a0fa457a62be63af7e30e72ffaec265470dbe16c0d61cc5b111d1e6

SHA512
01a5884ce81a622f81da23c4075aef4cbe68d18471908bb6082ad98bfd002c8a6c2b8069d250df0320cde22ad76eedc14a5d9369b370c2012d58575720da48b7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1631.tmp\UserInfo.dll

Filesize
4KB

MD5
fcad39646b416b4c2e0ea259554c3ec1

SHA1
8cb881913d923de35e6e131c2329b20ce51fe84f

SHA256
bc3872dbafefc41db2191b11b7371e988736dc12c9913bead1aa953dd28ef62b

SHA512
d81e00ac4828cce4ada42d28845d91601a98a6647d7b4fabad23e45b1aa529297fc554771b8cf8e484525e91a58f892ba5836263a81d6c061a54801abf0beecf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
71KB

MD5
2a4d75aab9811a5ba35b93519d1dfc79

SHA1
2bdd6485ea2402044eb1274d6924d912ddc348be

SHA256
026eeb2bc0ac0b8bb4ea3dc365d6efa7dd225d317526a6243f9e72ffe68cf547

SHA512
e70ed234deb12f98acef0b0aeeb5d3589a639988c791d4cc994e146b4f464e12f84820832f2d388881dbf530b8d3edb017ab7f190eb97ec3522ffd4e6e309bb4

Download Submit
\Windows\SysWOW64\drivers\TXPlatformm.exe

Filesize
77KB

MD5
90aefa53ae9588c4f32fffc7ff82d2f2

SHA1
8ee0605d93227d85704e00961e78b68b782a5475

SHA256
b093a684da6520a4caf9912e87265905c4fcb68e3ca6c810948af22a920fab79

SHA512
7f32a915e2656e902a4e3dda4d9795e6f3dc28a00e8f470585b3c8fc2618ed854d3d9cbe7aaabfde3a07d66807a5abf61de8e590eb9ec840f567b54ffff4b8cd

Download Submit
\Windows\SysWOW64\drivers\TXPlatformm.exe

Filesize
77KB

MD5
90aefa53ae9588c4f32fffc7ff82d2f2

SHA1
8ee0605d93227d85704e00961e78b68b782a5475

SHA256
b093a684da6520a4caf9912e87265905c4fcb68e3ca6c810948af22a920fab79

SHA512
7f32a915e2656e902a4e3dda4d9795e6f3dc28a00e8f470585b3c8fc2618ed854d3d9cbe7aaabfde3a07d66807a5abf61de8e590eb9ec840f567b54ffff4b8cd

Download Submit
memory/584-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/584-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-83-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1776-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1776-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1776-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1964-71-0x0000000000170000-0x00000000001B3000-memory.dmp

Filesize
268KB

Download