c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
Size

261KB
MD5

19626ebe5b3c99e6813e96022846802a
SHA1

94126f067d4043f5e8217558b2606b8434795919
SHA256

c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0
SHA512

35192de480470ac9fa4bc8256d8df60e432ad54efbf8edf9526bfd6c3c511096a974aabb8464baa3126837cd06247bdab6905386be3d45bb2daca8f0061f2de6
SSDEEP

3072:Np2gJWOX8XSHMFLH+hWsXg6EIEVwCp2rwgJ+4mdiIeGbquNpiC8jy9Vt4UGk:NxXjKLH+h7WjHp2rPJUwIN7NMC80

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1284	Ati.ExE
680	Ati.ExE

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/976-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/976-59-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/976-60-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/976-64-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/976-65-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000500000000b2d2-68.dat	upx
behavioral1/files/0x000500000000b2d2-69.dat	upx
behavioral1/files/0x000500000000b2d2-71.dat	upx
behavioral1/memory/1600-72-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/files/0x000500000000b2d2-75.dat	upx
behavioral1/files/0x000500000000b2d2-76.dat	upx
behavioral1/files/0x000500000000b2d2-83.dat	upx
behavioral1/memory/1284-86-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x000500000000b2d2-88.dat	upx
behavioral1/files/0x000500000000b2d2-89.dat	upx
behavioral1/files/0x000500000000b2d2-90.dat	upx
behavioral1/files/0x000500000000b2d2-91.dat	upx
behavioral1/files/0x000500000000b2d2-92.dat	upx
behavioral1/files/0x000500000000b2d2-93.dat	upx
behavioral1/files/0x000500000000b2d2-94.dat	upx
behavioral1/memory/976-96-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
1284	Ati.ExE
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Ati.ExE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Ati.ExE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1284 set thread context of 680	1284	Ati.ExE	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1056	680	WerFault.exe	29

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
976	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
1284	Ati.ExE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 976	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	27
PID 1600 wrote to memory of 1284	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	28
PID 1600 wrote to memory of 1284	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	28
PID 1600 wrote to memory of 1284	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	28
PID 1600 wrote to memory of 1284	1600	c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe	28
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 1284 wrote to memory of 680	1284	Ati.ExE	29
PID 680 wrote to memory of 1056	680	Ati.ExE	30
PID 680 wrote to memory of 1056	680	Ati.ExE	30
PID 680 wrote to memory of 1056	680	Ati.ExE	30
PID 680 wrote to memory of 1056	680	Ati.ExE	30

C:\Users\Admin\AppData\Local\Temp\c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
"C:\Users\Admin\AppData\Local\Temp\c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
  C:\Users\Admin\AppData\Local\Temp\c9929fb7217656117e10ccab5a29a075ac02efe9cc029caefc64e1208e0c20d0.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Users\Admin\AppData\Local\Temp\Ati.ExE
  "C:\Users\Admin\AppData\Local\Temp\Ati.ExE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\Ati.ExE
    C:\Users\Admin\AppData\Local\Temp\Ati.ExE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
\Users\Admin\AppData\Local\Temp\Ati.ExE

Filesize
67KB

MD5
2ef94485145bbd7c70f748820f2c003d

SHA1
5cc1032b9ab93f8b4dfe9e1443d9f3bf4903df1c

SHA256
0da37198fa40ff122496887a2eee80080167d9b129381d2a4a87e853e1287f2b

SHA512
c22f74468afa5c8a586d8d11e8cbb4db54be20427bb134f16d364cfe3059193660e5bf25bfc6d142b7c0fcd687ea4614405eeae8cd2d7a6fe722dd61ad8fde79

Download Submit
memory/680-84-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-77-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-78-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-79-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-81-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/680-95-0x0000000000400000-0x0000000000402400-memory.dmp

Filesize
9KB

Download
memory/976-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-59-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/976-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1284-86-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1600-63-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download