Overview

overview

8

Static

static

8

d7efbf3303...da.exe

windows7-x64

8

d7efbf3303...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda.exe

  • Size

    37KB

  • MD5

    21314b8973d0026469aab5e3463d82f5

  • SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

  • SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

  • SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

  • SSDEEP

    768:ICErOo2SvXDOy5UUt/o78b0yrUyiA01tGAYKMwF10RaPR:IVOo2S7OyOUoob0fA01tGA4wF1wU

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda.exe
    "C:\Users\Admin\AppData\Local\Temp\d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\Dialer\_HACKER-ARCHIVE.exe
      "C:\Windows\Dialer\_HACKER-ARCHIVE.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\~139kc24.reg
        3⤵
        • Runs .reg file with regedit
        PID:1008
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\~1dk4c24.reg
        3⤵
        • Runs .reg file with regedit
        PID:820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~139kc24.reg
    Filesize

    3KB

    MD5

    83b9ae145cedaa3635c9255dc2b69600

    SHA1

    a52dd703ee57667ecfe18eb712533bcbba4e5eae

    SHA256

    a166d5692c6e368e44ff0496fbc8f19869170c22d2d09c74921e330091d3a1a9

    SHA512

    cd3a7f8fde3e24d3b3c3572d8562e7570a5e005782bb5c60a6a78c1e7434dc2bf1ad44e8ba4cd94206884a3b14e1edfea5c0d711fb3ff0b62bd54b670e48481b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~1dk4c24.reg
    Filesize

    216B

    MD5

    ff921d4e60fcd2392374b13fbd85b477

    SHA1

    3d0fa223dee1b63deb81d2a49959ec7981a52df9

    SHA256

    f761c9958e2198f6c3e554f0bdba12f1ffeeb93f954ed2b0cbc358f459ae7ab6

    SHA512

    d610e12db31c8dc96f490cba9757dfc5d3e329921b202f3f3f03daa99629b2a9b1151dd6127eeaae9af3d383543d5b290c2644d5956248be0122dd5f560e837b

    Download Submit

  • C:\Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • \Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • \Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • \Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • \Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • \Windows\Dialer\_HACKER-ARCHIVE.exe
    Filesize

    37KB

    MD5

    21314b8973d0026469aab5e3463d82f5

    SHA1

    e5c7ce7504d6507cca2f6917c68f83c6a54143a2

    SHA256

    d7efbf3303f6524d3a04ffc58957d57d92032fde2368df7272cc414fa5229dda

    SHA512

    8fb47fed6a38464276da3ba900624e008563a3efef7a05312c887e1e4a0a430d9654e4c2ac0af5f82de59886e2fc5be9f00e02b3a3985ea5ae89f2dd5021634c

    Download Submit

  • memory/820-70-0x0000000000000000-mapping.dmp

    Download

  • memory/940-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/940-65-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/940-57-0x00000000002B0000-0x00000000002BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/940-55-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1008-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1128-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1128-69-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1128-73-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download