c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe
Size

7.0MB
MD5

96a1999f5291d76281f02411a71c432a
SHA1

06e0ef4ef8b7af1201cbf5aae981639363b71590
SHA256

c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f
SHA512

e25e0c3f9080e7b9d9f0ba7480e736bc57256645a318b089778c1950fea67dbeac59650e723bfa23a7539a3b71fa3d2e2b00dc9e7b5c342a8c9e138ee8846ebb
SSDEEP

196608:ba987PJHArOqVD+vTpwCaq7zspvTXgMy5cw8:zPWrfVD+bpwCDvs9XgMY8

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1344-56-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/1344-60-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\008.JPG	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe
File opened for modification	C:\Windows\SysWOW64\El mejorrr!.exe	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe
File opened for modification	C:\Windows\SysWOW64\008.JPG	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1740	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	26
PID 1344 wrote to memory of 1740	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	26
PID 1344 wrote to memory of 1740	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	26
PID 1344 wrote to memory of 1740	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	26
PID 1344 wrote to memory of 1308	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	28
PID 1344 wrote to memory of 1308	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	28
PID 1344 wrote to memory of 1308	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	28
PID 1344 wrote to memory of 1308	1344	c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe	28

C:\Users\Admin\AppData\Local\Temp\c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe
"C:\Users\Admin\AppData\Local\Temp\c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start C:\Windows\System32\008.JPG
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start C:\Windows\System32\El mejorrr!.exe
  2⤵
  PID:1308

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\008.JPG

Filesize
3.8MB

MD5
319b609fbd37b55be312169820459d04

SHA1
ed3dc63b1c619e7795965eed1e14f6de1da73659

SHA256
a195554e82e5f5c486eea5d026b98229e7556579c43acbb8c747e232e952b9db

SHA512
d0276a5bcb342aa719f21c5c84cbb1fc5dcec50ac8e2da1c7cdea096e84628de8cacf79c7af01d838df567e0c2f06ea2c40ce9d884d5a7c3e5cbe42ac9695865

Download Submit
memory/1344-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1344-60-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1740-58-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download