Overview

overview

9

Static

static

8

f439fd11ac...9f.exe

windows7-x64

9

f439fd11ac...9f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    46s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f439fd11acf857fafc866207ed1b0d1d15f4b87b10d9ba01d5faefc606a6cb9f.exe

  • Size

    25KB

  • MD5

    9cfe29c3f1a5a2f46870ec23c40f9540

  • SHA1

    2e74ee6afe5f25405f505fafa2af07c84ed4bec5

  • SHA256

    f439fd11acf857fafc866207ed1b0d1d15f4b87b10d9ba01d5faefc606a6cb9f

  • SHA512

    9f976527187909d77f1d0a692c0622e28c9452d59db7a4450cb95e529bb5f290bf9bb98a9fc93fc91a0884c912024f7a8d104ed4d216c859e31b7cb4ab42ac63

  • SSDEEP

    384:qjC8qYyWr2Fit+OU58G0qH/54H6KMLp2JsgHxZ/WqlTK43qu+Viy:z8blr2AThGd4H6Xp2RZ/PlT+Ay

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f439fd11acf857fafc866207ed1b0d1d15f4b87b10d9ba01d5faefc606a6cb9f.exe
    "C:\Users\Admin\AppData\Local\Temp\f439fd11acf857fafc866207ed1b0d1d15f4b87b10d9ba01d5faefc606a6cb9f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F439FD~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Q9q2MHJ3uTBErM7wc.dll
    Filesize

    18KB

    MD5

    3c49757690fffd68b303e90550212799

    SHA1

    b9e37b2361818ee14ca164c7ce4d73fbb75a1d89

    SHA256

    dfffdfbc189f6c2a44406f20fe437c5319f4d0a88a43ce89bccc772abefdc061

    SHA512

    74fd117c70f385d9db2ca80d4a093bb1d54155b5f0df4e016b65214914d0a634d04adbe9c809d974acbb79aa0fe994c8437c9451ca68c3128192b24341795cac

    Download Submit

  • memory/1352-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1352-55-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1352-57-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1352-58-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1352-60-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download