dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe
Size

98KB
MD5

25b3f992c2ab8e8b12e8684dcd00e5e0
SHA1

c05df6faa70f9311f5ff39ed3f117cbba4c1e9e3
SHA256

dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1
SHA512

6adf828c448297d68e0842ad74f36674ab0d2fa1dd5a2a1d35cfc7a9078868e71d1f250be220abc88f7c73675b9218f8e4b845ed5bc42942ba6dc69213243897
SSDEEP

1536:MMMamqCubWRVoIHQ9SMxevLrs9zq/+gMYq0rkIdHx9mB8HxWZozbY6BJymq7vUq:IQbWwIHEgv0QpMTIlXWZozbYPmeqV

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\lsass.exe"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1192-55-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1192-57-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1192-65-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1616	cmd.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 964	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	27
PID 1192 wrote to memory of 964	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	27
PID 1192 wrote to memory of 964	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	27
PID 1192 wrote to memory of 964	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	27
PID 1192 wrote to memory of 944	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	29
PID 1192 wrote to memory of 944	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	29
PID 1192 wrote to memory of 944	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	29
PID 1192 wrote to memory of 944	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	29
PID 964 wrote to memory of 1616	964	cmd.exe	30
PID 964 wrote to memory of 1616	964	cmd.exe	30
PID 964 wrote to memory of 1616	964	cmd.exe	30
PID 964 wrote to memory of 1616	964	cmd.exe	30
PID 1192 wrote to memory of 1704	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	32
PID 1192 wrote to memory of 1704	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	32
PID 1192 wrote to memory of 1704	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	32
PID 1192 wrote to memory of 1704	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	32
PID 944 wrote to memory of 984	944	cmd.exe	34
PID 944 wrote to memory of 984	944	cmd.exe	34
PID 944 wrote to memory of 984	944	cmd.exe	34
PID 944 wrote to memory of 984	944	cmd.exe	34
PID 1192 wrote to memory of 1344	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	35
PID 1192 wrote to memory of 1344	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	35
PID 1192 wrote to memory of 1344	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	35
PID 1192 wrote to memory of 1344	1192	dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe	35
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1704 wrote to memory of 1872	1704	cmd.exe	37
PID 1344 wrote to memory of 664	1344	cmd.exe	39
PID 1344 wrote to memory of 664	1344	cmd.exe	39
PID 1344 wrote to memory of 664	1344	cmd.exe	39
PID 1344 wrote to memory of 664	1344	cmd.exe	39
PID 984 wrote to memory of 1932	984	cmd.exe	38
PID 984 wrote to memory of 1932	984	cmd.exe	38
PID 984 wrote to memory of 1932	984	cmd.exe	38
PID 984 wrote to memory of 1932	984	cmd.exe	38
PID 664 wrote to memory of 1524	664	cmd.exe	41
PID 664 wrote to memory of 1524	664	cmd.exe	41
PID 664 wrote to memory of 1524	664	cmd.exe	41
PID 664 wrote to memory of 1524	664	cmd.exe	41
PID 1872 wrote to memory of 1840	1872	cmd.exe	40
PID 1872 wrote to memory of 1840	1872	cmd.exe	40
PID 1872 wrote to memory of 1840	1872	cmd.exe	40
PID 1872 wrote to memory of 1840	1872	cmd.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1840	attrib.exe
1524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe
"C:\Users\Admin\AppData\Local\Temp\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe" "C:\Users\Admin\AppData\lsass.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe" "C:\Users\Admin\AppData\lsass.exe"
    3⤵
    - Suspicious behavior: RenamesItself
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\reg.exe
      reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData\lsass.exe"
      4⤵
      Views/modifies file attributes
      PID:1840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib +h "C:\Users\Admin\AppData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData"
      4⤵
      Views/modifies file attributes
      PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-58-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1192-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads