Overview

overview

9

Static

static

8e004cde50...3b.exe

windows7-x64

9

8e004cde50...3b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    138s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 00:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8e004cde50d5a612c203b65e00f504baa973ec5bf7db6a232790edc1456b423b.exe

  • Size

    4.8MB

  • MD5

    2932e66d548ca284f864196dfaec08b2

  • SHA1

    b72580882107ff3ad8fbf1852abfa413a6ce6955

  • SHA256

    8e004cde50d5a612c203b65e00f504baa973ec5bf7db6a232790edc1456b423b

  • SHA512

    e3f096f46d148ed86b3bc1d66bd69a52c27ea22aa5672945e8b3dc9ccf8b0cc5c9fde09bc24010a8303626d51c9dffd51d8eab7b13ff70b1b12a907fe7d83a2f

  • SSDEEP

    98304:tKwUNMtVIZEEnJ+iiSBdW8hKtI0kPG34VSmhqml8f7I5dzSruiloKGxfnnuOuBrn:UwUNCVb2+4dzLilNlVZkOYSF1

Score
9/10
discoveryupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\8e004cde50d5a612c203b65e00f504baa973ec5bf7db6a232790edc1456b423b.exe
        "C:\Users\Admin\AppData\Local\Temp\8e004cde50d5a612c203b65e00f504baa973ec5bf7db6a232790edc1456b423b.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe
          "C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe
            "C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:4816
        • C:\Program Files (x86)\SubwaySurfers\runme.exe
          "C:\Program Files (x86)\SubwaySurfers\runme.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:1036
        • C:\Program Files (x86)\SubwaySurfers\4konya.exe
          "C:\Program Files (x86)\SubwaySurfers\4konya.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1472
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat" "
            4⤵
            • Drops file in Drivers directory
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5044
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs"
              5⤵
              • Drops file in Drivers directory
              PID:4660
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs"
              5⤵
                PID:4944
          • C:\Program Files (x86)\SubwaySurfers\mac.exe
            "C:\Program Files (x86)\SubwaySurfers\mac.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4372
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
              dw20.exe -x -s 1576
              4⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:3852
      • C:\PROGRA~3\Mozilla\wlgmldg.exe
        C:\PROGRA~3\Mozilla\wlgmldg.exe -tefqmxb
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 556
          2⤵
          • Program crash
          PID:5100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
        1⤵
          PID:4676

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\PROGRA~3\Mozilla\wlgmldg.exe
                Filesize

                171KB

                MD5

                3993ca58fc9c97ba6b16a45ae0ca8206

                SHA1

                0ab8cb21c961111f3d3822441d7d80090a4112b7

                SHA256

                3859b61e595be819310a9970321ff47f35803dfcd883ce4ceced132f03020518

                SHA512

                46c367b31584c00aba7ed0236ecdb449c044a72661c7b7b3db5000358e9d9d9d5c58162877e334384c240342eab9d825e54a62bb536a29c122d082bfbb0edf41

                Download Submit

              • C:\Program Files (x86)\Hn\Ip\indurk.akk
                Filesize

                52B

                MD5

                7aa07f785cfc0913e892ce24cb5c8e94

                SHA1

                91d6ce52e1af94cd41d2dd0a6d3d455433c275cc

                SHA256

                c10db1061105cddf2b206975d9f4f435622e40f86d56102755a5d7b149b0e2a8

                SHA512

                86359083430e1c48a0f5b98934d38fcfd8df76b60b72d7bda5ac6a865a4276fdbdf8a65398b60e9bbff56b54098a2f59077a33037ed1145a4b0a2dba23b3eaaa

                Download Submit

              • C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs
                Filesize

                1KB

                MD5

                e4b07c4d8c2a30fd33975ca46684ce70

                SHA1

                c31d3591f02a3ffa9f830a5de658f8963638573e

                SHA256

                f1a9e5597d260ae2412ab0b58a68f696d50cbe64bc8b8c80cec843d18d5d6fdc

                SHA512

                c2d088174d5fbd79d1736019bdd78109f9462b649da079a6a3c123f15f1c9b1d4c0660c9b703eba83cb474bd789b769f4270a2e9a714d68beac355ee2e45c9ac

                Download Submit

              • C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat
                Filesize

                1KB

                MD5

                903c3fde8f34ea51a43f4bd6ef8d1ca4

                SHA1

                3d1c08f85c9a0d21a3939736ec7a2d8e31e6e266

                SHA256

                64e6320a38d34becae991604650ab485b92f3c7f5fdbd50e4abe2e2cfab47ee8

                SHA512

                aa29b9acdb1f5b85ecc413f0caab022aa16568f81709f66cb9376ed3d7c679763e2d200ffb82547111f2c7fa557cd904a028b21d0a5bf5662614e748df859577

                Download Submit

              • C:\Program Files (x86)\Hn\Ip\poajfmas.dd
                Filesize

                27B

                MD5

                213c0742081a9007c9093a01760f9f8c

                SHA1

                df53bb518c732df777b5ce19fc7c02dcb2f9d81b

                SHA256

                9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

                SHA512

                55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

                Download Submit

              • C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs
                Filesize

                162B

                MD5

                5f382b9588ea4f91896c681fb07d0c4c

                SHA1

                84fd66ccc46556b7fb80a79a9c803a3fee54a929

                SHA256

                d0b58b45574fc822e7551096a35e93c7ebae8219696dd165dfc3796119396944

                SHA512

                5d2e845cfbe8ce2980ab4bfb528105a7198ee4134348437eb2d50d34f1e49dc3be7a94605c41d9c2956ac7cee61dc02b8088b2a277388c4f3171caf97dc8efac

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\4konya.exe
                Filesize

                158KB

                MD5

                07373d3d78d48c0f53b85ad58f24e5bb

                SHA1

                a5b4973d41478b08002b7b5382e34c78ff10eb9c

                SHA256

                e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c

                SHA512

                f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\4konya.exe
                Filesize

                158KB

                MD5

                07373d3d78d48c0f53b85ad58f24e5bb

                SHA1

                a5b4973d41478b08002b7b5382e34c78ff10eb9c

                SHA256

                e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c

                SHA512

                f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\Interop.IWshRuntimeLibrary.dll
                Filesize

                48KB

                MD5

                d923d4b8d2eba5847c92b8fdd3a0378f

                SHA1

                e99c5b639918616d41e06f1274c6ec5b9706c706

                SHA256

                73de6d8cd7795bed2fe4dd894a3febfc0083b7916b9bedc77a61fa1d23deee84

                SHA512

                2fcc23f1fa829fada9e77814af8062a077871128eddc6233c8bf1673af1ee0475489d2c6b8585e1d4066f2acf0657e024ac7fa93659c0ca0fb68bf582ce068bf

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe
                Filesize

                4.2MB

                MD5

                bd7f0ed0c842dca451ac20874a173120

                SHA1

                4f08086946714494f292dd1674fa4576633ef32a

                SHA256

                4d1360cbb4800ecef9b18dfcf5be94d3cb177f35ccff2d504bf366be144c31e1

                SHA512

                47869456232e4b253c8fe90a360a9a9513ff9c73fceca65eef86628dc50fe069a8f0704a046a5aac68befcbf172587994260c4cff4b75701783ef0074ecfb0d4

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe
                Filesize

                4.2MB

                MD5

                bd7f0ed0c842dca451ac20874a173120

                SHA1

                4f08086946714494f292dd1674fa4576633ef32a

                SHA256

                4d1360cbb4800ecef9b18dfcf5be94d3cb177f35ccff2d504bf366be144c31e1

                SHA512

                47869456232e4b253c8fe90a360a9a9513ff9c73fceca65eef86628dc50fe069a8f0704a046a5aac68befcbf172587994260c4cff4b75701783ef0074ecfb0d4

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\SubwaySurfers.exe
                Filesize

                4.2MB

                MD5

                bd7f0ed0c842dca451ac20874a173120

                SHA1

                4f08086946714494f292dd1674fa4576633ef32a

                SHA256

                4d1360cbb4800ecef9b18dfcf5be94d3cb177f35ccff2d504bf366be144c31e1

                SHA512

                47869456232e4b253c8fe90a360a9a9513ff9c73fceca65eef86628dc50fe069a8f0704a046a5aac68befcbf172587994260c4cff4b75701783ef0074ecfb0d4

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\mac.exe
                Filesize

                86KB

                MD5

                47af31afd8658aa7924283ce9f33ab0c

                SHA1

                bffc90a3ad32d6b085972a1401563bdafc97cd14

                SHA256

                041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

                SHA512

                4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\mac.exe
                Filesize

                86KB

                MD5

                47af31afd8658aa7924283ce9f33ab0c

                SHA1

                bffc90a3ad32d6b085972a1401563bdafc97cd14

                SHA256

                041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

                SHA512

                4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\runme.exe
                Filesize

                171KB

                MD5

                42d8ddd16cba2f8b650e6bf22d863314

                SHA1

                739682da0289f88dc2f8b91f06afb647973febe6

                SHA256

                5eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17

                SHA512

                5ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75

                Download Submit

              • C:\Program Files (x86)\SubwaySurfers\runme.exe
                Filesize

                171KB

                MD5

                42d8ddd16cba2f8b650e6bf22d863314

                SHA1

                739682da0289f88dc2f8b91f06afb647973febe6

                SHA256

                5eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17

                SHA512

                5ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75

                Download Submit

              • C:\ProgramData\Mozilla\wlgmldg.exe
                Filesize

                171KB

                MD5

                3993ca58fc9c97ba6b16a45ae0ca8206

                SHA1

                0ab8cb21c961111f3d3822441d7d80090a4112b7

                SHA256

                3859b61e595be819310a9970321ff47f35803dfcd883ce4ceced132f03020518

                SHA512

                46c367b31584c00aba7ed0236ecdb449c044a72661c7b7b3db5000358e9d9d9d5c58162877e334384c240342eab9d825e54a62bb536a29c122d082bfbb0edf41

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\{D5BA0D3F-A6DC-411C-A8BF-2BA5FAE1A981}.dll
                Filesize

                120KB

                MD5

                c9f333d1ff898672a34805f94a265329

                SHA1

                2deaac66698fb2e9b3868d23034c3211c508b739

                SHA256

                07e546811635574c77edfda126b0e5f5292b4ea13f35158eddedcfc3cbf74b6b

                SHA512

                048c71e48e2def0bfc69ebfb69b834d650a9377082782333f50728fdfd6675df8093d0c87e606022e55d09f81549d4ca3b640bcdd33b9ddc9aace03ee1466add

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\{D5BA0D3F-A6DC-411C-A8BF-2BA5FAE1A981}.dll
                Filesize

                120KB

                MD5

                c9f333d1ff898672a34805f94a265329

                SHA1

                2deaac66698fb2e9b3868d23034c3211c508b739

                SHA256

                07e546811635574c77edfda126b0e5f5292b4ea13f35158eddedcfc3cbf74b6b

                SHA512

                048c71e48e2def0bfc69ebfb69b834d650a9377082782333f50728fdfd6675df8093d0c87e606022e55d09f81549d4ca3b640bcdd33b9ddc9aace03ee1466add

                Download Submit

              • C:\Windows\System32\drivers\etc\hosts
                Filesize

                1KB

                MD5

                868bd8c2d043aea8fc42de40a454ddf5

                SHA1

                3010c74068a905aa5fa3539b8c5ec3e022608dc8

                SHA256

                3c03898e7ba201e7b9a9ca787ee4507b034f64f803e8b17198790281a08f5e82

                SHA512

                201995705b4f679dfb7974246e92c7e4e5944ae71d5e4ea98864b0450ae9975922827e0a6e62c00cad2c1e878e4586671d2f335faf9a7b5089e6f1ae45a6ac06

                Download Submit

              • memory/1036-153-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1036-140-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1036-139-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1036-138-0x0000000002080000-0x00000000020DF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2532-172-0x00000000081D0000-0x00000000081EC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/4372-159-0x00007FF9BF230000-0x00007FF9BFC66000-memory.dmp

                Filesize

                10.2MB

                Download

              • memory/4412-157-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/4412-156-0x00000000006A0000-0x00000000006FF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/4412-175-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/4816-145-0x0000000000400000-0x00000000005A3000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4816-146-0x0000000000400000-0x00000000005A3000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4816-142-0x0000000000400000-0x00000000005A3000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4816-170-0x0000000006590000-0x00000000065EB000-memory.dmp

                Filesize

                364KB

                Download

              • memory/4816-152-0x0000000000400000-0x00000000005A3000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/4816-174-0x0000000000400000-0x00000000005A3000-memory.dmp

                Filesize

                1.6MB

                Download