be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0

Analysis

max time kernel
226s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
Size

929KB
MD5

dff3eacc5af287364c9f7c2d1db6d6eb
SHA1

612abe186dd2cd2d039fc14b2719b9bb272b5f26
SHA256

be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0
SHA512

e924ed0c80ab595f054ac34d28aebf0ebf4a0ec90daa003a894830d5931824b67a842881fa25a39c8e8dc160a5c984af0afba7bb5e40200a4fb0708bcb7fa25e
SSDEEP

24576:lslXB0Eo/M+teLfBoioRipU7RPHGxqfS7bWCg6+v7O9hQA4Er:OlVQAfBwioOESmCg6+jO9uv4

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	aav.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/540-55-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/540-63-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AAV\aav.cpl	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File opened for modification	C:\Program Files (x86)\AAV\aav.exe	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File opened for modification	C:\Program Files (x86)\AAV	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\aav.ooo	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File opened for modification	C:\Program Files (x86)\AAV\aav.ooo	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File opened for modification	C:\Program Files (x86)\AAV\aav0.dat	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\aav1.dat	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File opened for modification	C:\Program Files (x86)\AAV\aav1.dat	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\__tmp_rar_sfx_access_check_7276760	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\aav0.dat	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\aav.cpl	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
File created	C:\Program Files (x86)\AAV\aav.exe	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	1632	WerFault.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	aav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	aav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	aav.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1632	540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe	29
PID 540 wrote to memory of 1632	540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe	29
PID 540 wrote to memory of 1632	540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe	29
PID 540 wrote to memory of 1632	540	be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe	29
PID 1632 wrote to memory of 2028	1632	aav.exe	30
PID 1632 wrote to memory of 2028	1632	aav.exe	30
PID 1632 wrote to memory of 2028	1632	aav.exe	30
PID 1632 wrote to memory of 2028	1632	aav.exe	30

C:\Users\Admin\AppData\Local\Temp\be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe
"C:\Users\Admin\AppData\Local\Temp\be843daa5e4298cfc7ac629d7928ec3b43d61230be57aa99b5a7c63f30e4f8f0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files (x86)\AAV\aav.exe
  "C:\Program Files (x86)\AAV\aav.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 244
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
C:\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
\Program Files (x86)\AAV\aav.exe

Filesize
369KB

MD5
93604de2115a746daf98eeeb335aa19e

SHA1
97398c0d1d16eb98760f99fbd43a5d77c3dad565

SHA256
891f2dbaa65221166f791b7c3a06432ab69098512941b0deeeebe9851a942fe3

SHA512
5e0d6cfb9b8877c7feb2535c498ee6aa92c88906b586597b2fa0f6ce6e04e5721a9cd9ce802da211c45ce404ea15fece65292f979bd9dfc2d8712c20f708d722

Download Submit
memory/540-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/540-57-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1632-65-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1632-64-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/1632-73-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/1632-74-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download