c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49

Analysis

max time kernel
163s
max time network
169s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
Size

1.1MB
MD5

48d381fa3049c4bf0abe985f9aa083d8
SHA1

6cd53da4b7908aaed0d80b1fff8d85cb421b80da
SHA256

c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49
SHA512

915918d4ffd5afb92a12f84703d9598740dda5f1c30d1a7b086b46b097599319d9407f91f749d6e8aef76f4b047d97d1a67154eb89a7ae182a604fb55d60421c
SSDEEP

24576:ICFQEjfquy7ZYY2BhQ/6Lx9g/9fiQmXLGihhUS8ip:mltdYRQ/4ghTmFiS5p

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1492	3.exe
1744	RavMonD.exe
1836	Éí·ÝÕý.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000122fa-66.dat	upx
behavioral1/files/0x00090000000122fa-67.dat	upx
behavioral1/files/0x00090000000122fa-69.dat	upx
behavioral1/files/0x00090000000122fa-79.dat	upx
behavioral1/memory/1836-80-0x0000000000400000-0x0000000000475000-memory.dmp	upx
behavioral1/memory/1836-83-0x0000000000400000-0x0000000000475000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\FQOCWW.DAT	3.exe
File created	C:\Windows\ZXZMHR.DAT	3.exe
File created	C:\Windows\RavMonD.exe	3.exe
File opened for modification	C:\Windows\RavMonD.exe	3.exe
File created	C:\Windows\uninstal.bat	3.exe
File created	C:\Windows\WUNDWF.DAT	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	3.exe
Token: SeDebugPrivilege	1744	RavMonD.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1744	RavMonD.exe
848	DllHost.exe
848	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1744	RavMonD.exe
1744	RavMonD.exe
1744	RavMonD.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1492	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	28
PID 1232 wrote to memory of 1492	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	28
PID 1232 wrote to memory of 1492	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	28
PID 1232 wrote to memory of 1492	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	28
PID 1744 wrote to memory of 268	1744	RavMonD.exe	30
PID 1744 wrote to memory of 268	1744	RavMonD.exe	30
PID 1744 wrote to memory of 268	1744	RavMonD.exe	30
PID 1744 wrote to memory of 268	1744	RavMonD.exe	30
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1492 wrote to memory of 468	1492	3.exe	32
PID 1232 wrote to memory of 1836	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	31
PID 1232 wrote to memory of 1836	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	31
PID 1232 wrote to memory of 1836	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	31
PID 1232 wrote to memory of 1836	1232	c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe	31

C:\Users\Admin\AppData\Local\Temp\c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe
"C:\Users\Admin\AppData\Local\Temp\c3c0a4ea183877f4270825459ddd2275225a0a37e59d697e27c31b9633adcc49.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe
  2⤵
  - Executes dropped EXE
  PID:1836

C:\Windows\RavMonD.exe
C:\Windows\RavMonD.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe

Filesize
632KB

MD5
6ed60dcba278ff0c8fe9df3dff0fa1e6

SHA1
a95d8d7c64fccf888e43c8130e6c4c31ab5b1ff4

SHA256
06ec04732f460b01beed07c52a3f52e756e37e0362b7bd268174f4fc63aa0cca

SHA512
1838a4f0d30add9cee3fb47d9aa9dc772d5f41e40faaf7b84a4a31fe41d886d89936cd32946606ca6f554ea7baf4e27f25aca104a90fc06e50c8dd8dd54b4273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe

Filesize
632KB

MD5
6ed60dcba278ff0c8fe9df3dff0fa1e6

SHA1
a95d8d7c64fccf888e43c8130e6c4c31ab5b1ff4

SHA256
06ec04732f460b01beed07c52a3f52e756e37e0362b7bd268174f4fc63aa0cca

SHA512
1838a4f0d30add9cee3fb47d9aa9dc772d5f41e40faaf7b84a4a31fe41d886d89936cd32946606ca6f554ea7baf4e27f25aca104a90fc06e50c8dd8dd54b4273

Download Submit
C:\Users\Admin\AppData\Local\Temp\Éí·ÝÕý.jpg

Filesize
204KB

MD5
47dc89a5663b28c0b1d2d1faf5b24295

SHA1
722202ef5492b7999f07870511e8a7b81f654d63

SHA256
020e4cb69f885cbf68a94da8cfe083f58e7b8586a0b690c57474d9f07dd8ea6b

SHA512
3987b25e6d1953e11f0413c72e45196a6badab04243b8ee5b4614c4650359c194eff14d947d814b950fc3dd511dfc7b8e8f6b15e3b5bd7f69b4cd8d12059e76e

Download Submit
C:\Windows\FQOCWW.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\RavMonD.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
C:\Windows\RavMonD.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
C:\Windows\WUNDWF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\ZXZMHR.DAT

Filesize
11KB

MD5
c998d8a5ae2f5ae6eb941217752cfb50

SHA1
bd2ee5d947f1d727afd952b066c64ceefbcc3879

SHA256
f03c18b5d94d2e8bc2dcff111bea2279f78a1ec78261069fea635f75eafee1e6

SHA512
89737072de9114f687036d1b1aa0e338f7040ef6074de7c4a9e639995ddc6b73a965e968426752420d900a7141aed2f03ba05ca874b1dd025d28d4401aa0b4ed

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
67e4ea2c3e65d3236c8266b9c116f67f

SHA1
7e87f925ccd68b2b7c9af9f92e118db1990234f9

SHA256
2dff6c390d03870cec06d16fe0191475fb87ad2330b78d03c15e7ff0bed8f00c

SHA512
1a3cf0443e932b9b57f32531b3d61c917b9eec19a4ba73336011041e16a0022c5e62b2c768b34a0bdc08ffd75bbaa0338719577001496c9de8a5638420b0a229

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
862KB

MD5
c2526d46e23a811c40b13b1b5bf6602a

SHA1
213fa42ca98b2038dd859a441e4459d332a7d029

SHA256
ae22f1cffbe662f1d51075d28054476064e161cd4e2988f6ece292ded4a7814c

SHA512
167dce70215c14cb5b8dcae4e1b69e0aa2fde70710ff419bbfb818e333264607fc9267e7d3ec0f3dad7e4fe3bee94bf43106533c480a8419b142d97ef42f0a3c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe

Filesize
632KB

MD5
6ed60dcba278ff0c8fe9df3dff0fa1e6

SHA1
a95d8d7c64fccf888e43c8130e6c4c31ab5b1ff4

SHA256
06ec04732f460b01beed07c52a3f52e756e37e0362b7bd268174f4fc63aa0cca

SHA512
1838a4f0d30add9cee3fb47d9aa9dc772d5f41e40faaf7b84a4a31fe41d886d89936cd32946606ca6f554ea7baf4e27f25aca104a90fc06e50c8dd8dd54b4273

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Éí·ÝÕý.exe

Filesize
632KB

MD5
6ed60dcba278ff0c8fe9df3dff0fa1e6

SHA1
a95d8d7c64fccf888e43c8130e6c4c31ab5b1ff4

SHA256
06ec04732f460b01beed07c52a3f52e756e37e0362b7bd268174f4fc63aa0cca

SHA512
1838a4f0d30add9cee3fb47d9aa9dc772d5f41e40faaf7b84a4a31fe41d886d89936cd32946606ca6f554ea7baf4e27f25aca104a90fc06e50c8dd8dd54b4273

Download Submit
memory/1232-77-0x0000000003240000-0x00000000032B5000-memory.dmp

Filesize
468KB

Download
memory/1232-84-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1232-54-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1232-55-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/1232-78-0x0000000003240000-0x00000000032B5000-memory.dmp

Filesize
468KB

Download
memory/1232-85-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/1492-60-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1744-81-0x0000000001D90000-0x0000000001D9F000-memory.dmp

Filesize
60KB

Download
memory/1744-71-0x0000000000560000-0x0000000000573000-memory.dmp

Filesize
76KB

Download
memory/1744-74-0x0000000001D70000-0x0000000001D82000-memory.dmp

Filesize
72KB

Download
memory/1836-80-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1836-83-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download