238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

Analysis

max time kernel
79s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
Size

393KB
MD5

53fb4a3b26d43ad7192f374452eacb7d
SHA1

031853042d0b205117be47c6d92cc580c6b56ce7
SHA256

238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd
SHA512

f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458
SSDEEP

6144:ZBgh/58KGip9lmh0UwwDdxtPw13OyhFR8uHC+4VL6eHn3ttqPgJog:ZBMmKGnhDT+JlCLRueH3rz

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
572	svchost.exe
1904	svchost.exe
1308	svchost.exe
1528	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1628-55-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/files/0x000c0000000122ea-64.dat	upx
behavioral1/files/0x000c0000000122ea-68.dat	upx
behavioral1/files/0x000c0000000122ea-70.dat	upx
behavioral1/memory/572-73-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1628-76-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/files/0x000c0000000122ea-77.dat	upx
behavioral1/memory/1308-82-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/files/0x000c0000000122ea-80.dat	upx
behavioral1/files/0x000c0000000122ea-88.dat	upx
behavioral1/memory/1904-93-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/572-94-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/572-95-0x0000000000400000-0x00000000004CF000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Generic Win32 Host Process = "C:\\Windows\\system\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Generic Win32 Host Process = "C:\\Windows\\system\\svchost.exe"	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Generic Win32 Host Process = "C:\\Windows\\system\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	svchost.exe
File opened (read-only)	\??\q:	svchost.exe
File opened (read-only)	\??\x:	svchost.exe
File opened (read-only)	\??\i:	svchost.exe
File opened (read-only)	\??\l:	svchost.exe
File opened (read-only)	\??\j:	svchost.exe
File opened (read-only)	\??\t:	svchost.exe
File opened (read-only)	\??\a:	svchost.exe
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\p:	svchost.exe
File opened (read-only)	\??\w:	svchost.exe
File opened (read-only)	\??\b:	svchost.exe
File opened (read-only)	\??\g:	svchost.exe
File opened (read-only)	\??\r:	svchost.exe
File opened (read-only)	\??\w:	svchost.exe
File opened (read-only)	\??\o:	svchost.exe
File opened (read-only)	\??\p:	svchost.exe
File opened (read-only)	\??\v:	svchost.exe
File opened (read-only)	\??\z:	svchost.exe
File opened (read-only)	\??\k:	svchost.exe
File opened (read-only)	\??\q:	svchost.exe
File opened (read-only)	\??\r:	svchost.exe
File opened (read-only)	\??\z:	svchost.exe
File opened (read-only)	\??\k:	svchost.exe
File opened (read-only)	\??\s:	svchost.exe
File opened (read-only)	\??\l:	svchost.exe
File opened (read-only)	\??\t:	svchost.exe
File opened (read-only)	\??\y:	svchost.exe
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\b:	svchost.exe
File opened (read-only)	\??\i:	svchost.exe
File opened (read-only)	\??\j:	svchost.exe
File opened (read-only)	\??\u:	svchost.exe
File opened (read-only)	\??\e:	svchost.exe
File opened (read-only)	\??\h:	svchost.exe
File opened (read-only)	\??\y:	svchost.exe
File opened (read-only)	\??\e:	svchost.exe
File opened (read-only)	\??\m:	svchost.exe
File opened (read-only)	\??\n:	svchost.exe
File opened (read-only)	\??\x:	svchost.exe
File opened (read-only)	\??\u:	svchost.exe
File opened (read-only)	\??\g:	svchost.exe
File opened (read-only)	\??\n:	svchost.exe
File opened (read-only)	\??\o:	svchost.exe
File opened (read-only)	\??\s:	svchost.exe
File opened (read-only)	\??\v:	svchost.exe
File opened (read-only)	\??\a:	svchost.exe
File opened (read-only)	\??\h:	svchost.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1628-55-0x0000000000400000-0x00000000004CF000-memory.dmp	autoit_exe
behavioral1/memory/1628-76-0x0000000000400000-0x00000000004CF000-memory.dmp	autoit_exe
behavioral1/memory/1904-93-0x0000000000400000-0x00000000004CF000-memory.dmp	autoit_exe
behavioral1/memory/572-94-0x0000000000400000-0x00000000004CF000-memory.dmp	autoit_exe
behavioral1/memory/572-95-0x0000000000400000-0x00000000004CF000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1904 set thread context of 1528	1904	svchost.exe	32

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
File opened for modification	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
File created	C:\Windows\system\svchost.exe	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
File created	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	svchost.exe
File opened for modification	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	svchost.exe
File created	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	svchost.exe
File opened for modification	C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
1904	svchost.exe
572	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 1040	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	28
PID 1628 wrote to memory of 572	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	29
PID 1628 wrote to memory of 572	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	29
PID 1628 wrote to memory of 572	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	29
PID 1628 wrote to memory of 572	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	29
PID 1628 wrote to memory of 1904	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	30
PID 1628 wrote to memory of 1904	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	30
PID 1628 wrote to memory of 1904	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	30
PID 1628 wrote to memory of 1904	1628	238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe	30
PID 572 wrote to memory of 1308	572	svchost.exe	31
PID 572 wrote to memory of 1308	572	svchost.exe	31
PID 572 wrote to memory of 1308	572	svchost.exe	31
PID 572 wrote to memory of 1308	572	svchost.exe	31
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32
PID 1904 wrote to memory of 1528	1904	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
"C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe
  "C:\Users\Admin\AppData\Local\Temp\238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd.exe"
  2⤵
  PID:1040
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\system\svchost.exe
    "C:\Windows\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1308
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system\svchost.exe
    "C:\Windows\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe

Filesize
56KB

MD5
df2cda14f46180a78444cbe25760e7f8

SHA1
3567cbb5672164eab38ccd55ed4ea31505e07a59

SHA256
e6beaf2cbb389b73af052d3153ce4150cf72d4122e0dddc17f1c615f01bea66e

SHA512
7aac5fd4eac231aea838367712123921670d7f0ad7c22ea9d6e59479468c98899d6166abdf8ceb9fb1e9d6f8c3b00c2d33e43b7fd625ee23261c2b8fde1d988e

Download Submit
C:\Windows\system\2u12pbO3Ec5npc01If9vFZc31ynIwLFV3kreXJj9.exe

Filesize
56KB

MD5
df2cda14f46180a78444cbe25760e7f8

SHA1
3567cbb5672164eab38ccd55ed4ea31505e07a59

SHA256
e6beaf2cbb389b73af052d3153ce4150cf72d4122e0dddc17f1c615f01bea66e

SHA512
7aac5fd4eac231aea838367712123921670d7f0ad7c22ea9d6e59479468c98899d6166abdf8ceb9fb1e9d6f8c3b00c2d33e43b7fd625ee23261c2b8fde1d988e

Download Submit
C:\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
C:\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
C:\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
C:\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
C:\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
\Windows\system\svchost.exe

Filesize
393KB

MD5
53fb4a3b26d43ad7192f374452eacb7d

SHA1
031853042d0b205117be47c6d92cc580c6b56ce7

SHA256
238e286a3bca4af0e1294a4cb13d17de6b922df4570a98a99ce550c88596f4cd

SHA512
f20683d2395a8c06bf1fcf69eaa8016f5d3a878b04128181526c5a6da7d45fb52ea898d2aecf4daa0c5fa56bf69c5515b8ee4f3c12744fbd78f9510d3579a458

Download Submit
memory/572-73-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/572-94-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/572-95-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1040-74-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1040-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-75-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-82-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1528-90-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1528-92-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1628-55-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1628-76-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1628-67-0x00000000036B0000-0x000000000377F000-memory.dmp

Filesize
828KB

Download
memory/1904-93-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download