Overview

overview

10

Static

static

e900bcc617...ee.exe

windows7-x64

10

e900bcc617...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e900bcc6173819ee322b0383a2dece635781d25d022daa8080231dfb5f74acee.exe

  • Size

    235KB

  • MD5

    ce2898891899fc271747040fe6c510c0

  • SHA1

    26d429ec0433fb51b91b62ced4f9f83df46c19a7

  • SHA256

    e900bcc6173819ee322b0383a2dece635781d25d022daa8080231dfb5f74acee

  • SHA512

    23436c96e5fb76868851b7578f5ad6a6810c3d03a5362177260c8d1e106f78d43d553e59066e54b1e48f000c156cfd83b3aedb55e9d09f84a84647d7410bcd1f

  • SSDEEP

    6144:SjLOjTZIVuJCRZBkcJpEBhRenwYB07XabU+Erpxl:wLO+MJCSIzmPl

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 45 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e900bcc6173819ee322b0383a2dece635781d25d022daa8080231dfb5f74acee.exe
    "C:\Users\Admin\AppData\Local\Temp\e900bcc6173819ee322b0383a2dece635781d25d022daa8080231dfb5f74acee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\apdat.exe
      "C:\Users\Admin\apdat.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\duouv.exe
        "C:\Users\Admin\duouv.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del apdat.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
    • C:\Users\Admin\bpdat.exe
      "C:\Users\Admin\bpdat.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      PID:1284
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1340
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\a.bat" "
        3⤵
          PID:1712
      • C:\Users\Admin\cpdat.exe
        "C:\Users\Admin\cpdat.exe"
        2⤵
        • Executes dropped EXE
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dxj..bat" > nul 2> nul
          3⤵
            PID:932
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
          2⤵
          • Deletes itself
          PID:520

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
        Filesize

        300B

        MD5

        919d096776055079517938d3dbbdcc08

        SHA1

        4215956f4dede0b8bd6d25691d6a85976f7ea264

        SHA256

        394244fc96f81df145edd75017d3814eb7cc592edfbc260442ebd6e2e9980ce6

        SHA512

        6ef84031ef02e923d3615b7bf0e76a107401b2e89b16fa03dc608b0ca1cfd96ff6bcea825acbea6b6efc24cb324fbf30f6a8fdf91efc20aba86dfc1afea1034c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Dxj..bat
        Filesize

        118B

        MD5

        57b7002bd20ec73150ffb9325266eb63

        SHA1

        21386befe73c362bfbcc2608eaec37005775bdd2

        SHA256

        cc825493e1d03a170edf01e29715e3438897ed0a1eebdeeb1316cf021d035065

        SHA512

        98dcca468cdf75ae3019aa7b6aadd681b2c883e7d34ca19c88da4a35f2eb1bcc0e10ecbeccf32e12d24e4f6fb2ea5d380657f2707aed021d78e1daef6152243f

        Download Submit

      • C:\Users\Admin\a.bat
        Filesize

        113B

        MD5

        66b2c6f19da3ae21d6c05d74d66e77ad

        SHA1

        e55912921b484e2309700c4fd207c3bef5e426fd

        SHA256

        997e128acbe45008504244efa5081c58a0238015822fa402ebcd2e12831e5187

        SHA512

        5b096a3a673b6d7f69dc8d8eee6faf9280e6433b9bc33aa234cf8a7701c539420e87340447e7e6efafff8e9f2028dda43f91d03d0baba78c944cd7d7a580a651

        Download Submit

      • C:\Users\Admin\apdat.exe
        Filesize

        168KB

        MD5

        2d0d7c0f6c69376565c31c0dd35e8378

        SHA1

        15d15a02859662ad669f345853693627b9208aa7

        SHA256

        4586653d7cdad61fddda7481c9f5fae0751a59cb8566a333a314af9f960d03e4

        SHA512

        b120056d975348af06599c5ea67308981e7211abb1d96ff482d6fcc5d193155e35ac94e803a12685941ea54256527cfcad6a82ac4e0644cdb95ec7048a99f60e

        Download Submit

      • C:\Users\Admin\apdat.exe
        Filesize

        168KB

        MD5

        2d0d7c0f6c69376565c31c0dd35e8378

        SHA1

        15d15a02859662ad669f345853693627b9208aa7

        SHA256

        4586653d7cdad61fddda7481c9f5fae0751a59cb8566a333a314af9f960d03e4

        SHA512

        b120056d975348af06599c5ea67308981e7211abb1d96ff482d6fcc5d193155e35ac94e803a12685941ea54256527cfcad6a82ac4e0644cdb95ec7048a99f60e

        Download Submit

      • C:\Users\Admin\bpdat.exe
        Filesize

        132KB

        MD5

        8b564673bb28181880f2ad0a76e52b28

        SHA1

        f3e82858bee1262d97080950109013ae999d7135

        SHA256

        cb3a924930bb98193eadaa75ad6c8a4584d6c0d5cc16f23ba80088950a472c62

        SHA512

        9b0d20aba11e848d4fef3109d7fc435a7292d28f05e1f09667aa7f16269299356be0d981e47c7e958846d03d83577a6132a3f92bfba2ac42be39c99cb27744cf

        Download Submit

      • C:\Users\Admin\bpdat.exe
        Filesize

        132KB

        MD5

        8b564673bb28181880f2ad0a76e52b28

        SHA1

        f3e82858bee1262d97080950109013ae999d7135

        SHA256

        cb3a924930bb98193eadaa75ad6c8a4584d6c0d5cc16f23ba80088950a472c62

        SHA512

        9b0d20aba11e848d4fef3109d7fc435a7292d28f05e1f09667aa7f16269299356be0d981e47c7e958846d03d83577a6132a3f92bfba2ac42be39c99cb27744cf

        Download Submit

      • C:\Users\Admin\cpdat.exe
        Filesize

        140KB

        MD5

        68c50db3bfc0d0bec1c8625ddf4ab3b9

        SHA1

        2989eba1f8ec6ba094f74c3a63d8b56f0d6b0d5d

        SHA256

        00b3fa92f25949bb6d5cb5d91c8a3641c12b6e9ff6c8560d49f6dc2a4a065ce4

        SHA512

        cdae71d850c453d6a61747cc5b7635d1b172ed235a4468d559e00bf4b5f7027969d72f79e8f22547373314a188dd9def4fcc7034b8b385421578cd34475876b6

        Download Submit

      • C:\Users\Admin\cpdat.exe
        Filesize

        140KB

        MD5

        68c50db3bfc0d0bec1c8625ddf4ab3b9

        SHA1

        2989eba1f8ec6ba094f74c3a63d8b56f0d6b0d5d

        SHA256

        00b3fa92f25949bb6d5cb5d91c8a3641c12b6e9ff6c8560d49f6dc2a4a065ce4

        SHA512

        cdae71d850c453d6a61747cc5b7635d1b172ed235a4468d559e00bf4b5f7027969d72f79e8f22547373314a188dd9def4fcc7034b8b385421578cd34475876b6

        Download Submit

      • C:\Users\Admin\duouv.exe
        Filesize

        168KB

        MD5

        c02ca4732dbdad83b46b4774b805cb64

        SHA1

        5544986c50747971731e128d3b862262bd38c0ca

        SHA256

        e8c139fa8cd902d12cba851e12b3d2cdbf1eb1255c04666d46307b375dda4dff

        SHA512

        cb9b217192ab796249ba4955df4b15b41922239445396191088836ae078f7edbcf5221185a29a4c1179ee2fb0f2c8e1aa880a752a1fbcd9c212f02beb2126ea6

        Download Submit

      • C:\Users\Admin\duouv.exe
        Filesize

        168KB

        MD5

        c02ca4732dbdad83b46b4774b805cb64

        SHA1

        5544986c50747971731e128d3b862262bd38c0ca

        SHA256

        e8c139fa8cd902d12cba851e12b3d2cdbf1eb1255c04666d46307b375dda4dff

        SHA512

        cb9b217192ab796249ba4955df4b15b41922239445396191088836ae078f7edbcf5221185a29a4c1179ee2fb0f2c8e1aa880a752a1fbcd9c212f02beb2126ea6

        Download Submit

      • \Users\Admin\apdat.exe
        Filesize

        168KB

        MD5

        2d0d7c0f6c69376565c31c0dd35e8378

        SHA1

        15d15a02859662ad669f345853693627b9208aa7

        SHA256

        4586653d7cdad61fddda7481c9f5fae0751a59cb8566a333a314af9f960d03e4

        SHA512

        b120056d975348af06599c5ea67308981e7211abb1d96ff482d6fcc5d193155e35ac94e803a12685941ea54256527cfcad6a82ac4e0644cdb95ec7048a99f60e

        Download Submit

      • \Users\Admin\apdat.exe
        Filesize

        168KB

        MD5

        2d0d7c0f6c69376565c31c0dd35e8378

        SHA1

        15d15a02859662ad669f345853693627b9208aa7

        SHA256

        4586653d7cdad61fddda7481c9f5fae0751a59cb8566a333a314af9f960d03e4

        SHA512

        b120056d975348af06599c5ea67308981e7211abb1d96ff482d6fcc5d193155e35ac94e803a12685941ea54256527cfcad6a82ac4e0644cdb95ec7048a99f60e

        Download Submit

      • \Users\Admin\bpdat.exe
        Filesize

        132KB

        MD5

        8b564673bb28181880f2ad0a76e52b28

        SHA1

        f3e82858bee1262d97080950109013ae999d7135

        SHA256

        cb3a924930bb98193eadaa75ad6c8a4584d6c0d5cc16f23ba80088950a472c62

        SHA512

        9b0d20aba11e848d4fef3109d7fc435a7292d28f05e1f09667aa7f16269299356be0d981e47c7e958846d03d83577a6132a3f92bfba2ac42be39c99cb27744cf

        Download Submit

      • \Users\Admin\bpdat.exe
        Filesize

        132KB

        MD5

        8b564673bb28181880f2ad0a76e52b28

        SHA1

        f3e82858bee1262d97080950109013ae999d7135

        SHA256

        cb3a924930bb98193eadaa75ad6c8a4584d6c0d5cc16f23ba80088950a472c62

        SHA512

        9b0d20aba11e848d4fef3109d7fc435a7292d28f05e1f09667aa7f16269299356be0d981e47c7e958846d03d83577a6132a3f92bfba2ac42be39c99cb27744cf

        Download Submit

      • \Users\Admin\cpdat.exe
        Filesize

        140KB

        MD5

        68c50db3bfc0d0bec1c8625ddf4ab3b9

        SHA1

        2989eba1f8ec6ba094f74c3a63d8b56f0d6b0d5d

        SHA256

        00b3fa92f25949bb6d5cb5d91c8a3641c12b6e9ff6c8560d49f6dc2a4a065ce4

        SHA512

        cdae71d850c453d6a61747cc5b7635d1b172ed235a4468d559e00bf4b5f7027969d72f79e8f22547373314a188dd9def4fcc7034b8b385421578cd34475876b6

        Download Submit

      • \Users\Admin\duouv.exe
        Filesize

        168KB

        MD5

        c02ca4732dbdad83b46b4774b805cb64

        SHA1

        5544986c50747971731e128d3b862262bd38c0ca

        SHA256

        e8c139fa8cd902d12cba851e12b3d2cdbf1eb1255c04666d46307b375dda4dff

        SHA512

        cb9b217192ab796249ba4955df4b15b41922239445396191088836ae078f7edbcf5221185a29a4c1179ee2fb0f2c8e1aa880a752a1fbcd9c212f02beb2126ea6

        Download Submit

      • \Users\Admin\duouv.exe
        Filesize

        168KB

        MD5

        c02ca4732dbdad83b46b4774b805cb64

        SHA1

        5544986c50747971731e128d3b862262bd38c0ca

        SHA256

        e8c139fa8cd902d12cba851e12b3d2cdbf1eb1255c04666d46307b375dda4dff

        SHA512

        cb9b217192ab796249ba4955df4b15b41922239445396191088836ae078f7edbcf5221185a29a4c1179ee2fb0f2c8e1aa880a752a1fbcd9c212f02beb2126ea6

        Download Submit

      • memory/520-105-0x0000000000000000-mapping.dmp

        Download

      • memory/932-101-0x0000000000000000-mapping.dmp

        Download

      • memory/1232-80-0x0000000000000000-mapping.dmp

        Download

      • memory/1284-75-0x0000000000000000-mapping.dmp

        Download

      • memory/1328-65-0x0000000000000000-mapping.dmp

        Download

      • memory/1340-82-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-97-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-90-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-81-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-85-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-86-0x000000000040D7E0-mapping.dmp

        Download

      • memory/1340-84-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1340-89-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

        Download

      • memory/1384-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1712-91-0x0000000000000000-mapping.dmp

        Download

      • memory/1764-72-0x0000000000000000-mapping.dmp

        Download

      • memory/1912-71-0x0000000003411000-0x000000000395D000-memory.dmp

        Filesize

        5.3MB

        Download

      • memory/1912-57-0x0000000000000000-mapping.dmp

        Download

      • memory/2008-98-0x0000000000350000-0x0000000000359000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2008-99-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2008-100-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2008-102-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2008-94-0x0000000000000000-mapping.dmp

        Download