Overview

overview

8

Static

static

8

a93b213d23...c4.exe

windows7-x64

8

a93b213d23...c4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    186s
  • max time network
    235s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a93b213d239b520d776edbc859cc3439a10eabd56acd42f5f520b24de16c4fc4.exe

  • Size

    888KB

  • MD5

    8334ca63763e6929ba30736c6748dfd0

  • SHA1

    e89abc41b20ce60282343424781a946af1d1cd70

  • SHA256

    a93b213d239b520d776edbc859cc3439a10eabd56acd42f5f520b24de16c4fc4

  • SHA512

    bc2c6cf537c084af63d4a6befbc045584e722f0c6662f5e0dcf3db667c7d0e510c53e460622fa95cafe8c3808c0b1feae4ceb7328118db1a8a0a29f6da1f5279

  • SSDEEP

    12288:3HM8RZPM2261/6Qw3jK3vmGFw0w2Dn0AlVeQYYUeAxyQx4WYVszc57:88Pp26N6fSBJ08Veo4xyrJVsy

Score
8/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 40 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a93b213d239b520d776edbc859cc3439a10eabd56acd42f5f520b24de16c4fc4.exe
    "C:\Users\Admin\AppData\Local\Temp\a93b213d239b520d776edbc859cc3439a10eabd56acd42f5f520b24de16c4fc4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\WINDOWS\system\svchost.exe
      "C:\WINDOWS\system\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WINDOWS\system\sup.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s sup.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\system\aliases.ini
    Filesize

    11B

    MD5

    2218df9cdffc814a3dc25c81dd8619dd

    SHA1

    0290f796218937f61331adc8803788e7cd4c2299

    SHA256

    455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1

    SHA512

    7aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa

    Download Submit

  • C:\WINDOWS\system\control.ini
    Filesize

    213B

    MD5

    7d995c044b31a98ab1c301f2bade8f27

    SHA1

    5dc1ecab556aef0ab024316d4f38ae4891469cd3

    SHA256

    6182486a743b7062269e6208cd3129bb2324663895b131f9a667775906564bd8

    SHA512

    5867af9f4b3730065dd5fa42e6ed2cb5fd6796aae2fbbee9a38c079d1a344d8e73ea5a990df6dc75aac215bdb4d95b067084d16ff0126e541657921b189d15af

    Download Submit

  • C:\WINDOWS\system\mirc.ico
    Filesize

    5KB

    MD5

    e09aa9787af5cc53fd7525dd6693cf10

    SHA1

    57445d0779a66c61741822c0a7988573efee13d7

    SHA256

    c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

    SHA512

    b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

    Download Submit

  • C:\WINDOWS\system\mirc.ini
    Filesize

    3KB

    MD5

    ed1322e15b850f0571c62be5c716991b

    SHA1

    9fe60fe7521b950a137fb4d21f83f3a8dc051c28

    SHA256

    0a9a680979c9debe8f18f28fa6186dbaeac9682ee30b0011615b4d8f78b07175

    SHA512

    6c553b2e80cb532f106001ae6fcb7aa1211611e5c72984c86637eaa32ee376e74de90ef32f3a6a194c34fdd193d4a7717dd4a2d6f02c052beb3929ca3f9acd18

    Download Submit

  • C:\WINDOWS\system\nicks.txt
    Filesize

    44KB

    MD5

    b42463ece0672a822b07cde44fc76c97

    SHA1

    46a045e43106a455a2472a8f8a320c239c39a3e3

    SHA256

    ebb7772d0ce92dd6bf5fed36f4c28272f0667f47847120bc62844392003a5d4e

    SHA512

    c0c44e64dc2022e086551e577234d944b274e7bcb613132769571301172243add9a3aee781a9385a74a00e72e6e9c8072a777fec8fc72ae49914ee0a8834332f

    Download Submit

  • C:\WINDOWS\system\remote.ini
    Filesize

    996B

    MD5

    1bc5f6aef9121a9f449773c18ac61de8

    SHA1

    0b9a12976afa5b8697bb308098fb4ddd5a6b968f

    SHA256

    89dd0f469660b4446a7525a5644af32b52dd0bcca79b93dc0a853aaee821505b

    SHA512

    f7d8f1f73253ad035df46dabd3610731af2ce840d6ad0a33215fcb1ce9bdcf51ae91a5f275d5f6c41e9bcacde672c456bfd79bc61361e41479e38e2bde7d047d

    Download Submit

  • C:\WINDOWS\system\script.ini
    Filesize

    7KB

    MD5

    57947757cefa647dcb08067faaf589b4

    SHA1

    6e42050b1fb1cc636dff9cea36f1e808a292f8c4

    SHA256

    c8957dc33d2881e49ab3a166f208d3a88f21115118d82a2dff7bfcd575594839

    SHA512

    dfa121c3135a830379962ce4cdf918979e4795a9eab4123454b9368e6bc45e9b02a696e5f0c9a677e923301addbb0e535f619f342a0c0f421a6c0e59167bd042

    Download Submit

  • C:\WINDOWS\system\servers.ini
    Filesize

    1KB

    MD5

    05c95e09567c8aa47c9d6083535e07d7

    SHA1

    84916748a5477a1a45f4b49a2bf110859419bf40

    SHA256

    e3b202133148ac73513bf331ed0f96761d38736774f8da679213e2c039456da7

    SHA512

    d787370ce01e65eebb3874f02c936eb63c432d74d4de9f56efbb940f755268c820bcd36e07fdfd8a4949642b7c17c01f23dad01c83e992b3ece6f00fbdbe364f

    Download Submit

  • C:\WINDOWS\system\sup.bat
    Filesize

    28B

    MD5

    78de063917ba0a125974065073d2affd

    SHA1

    40d475bf99d5230793cadf6c83fc6a50f0b7fc60

    SHA256

    a02babb376ddf4620d2765712bf82dd05c7343c8c8e367fb57f984ac4ec7f812

    SHA512

    c0ca1ccc9e072022ecd8b557c4ef6a0261eee6e1428fe603ef7b1a72b449a8f177bf9014e362acc377c1e317568a7a4440935326e54c1a945b9453b314254399

    Download Submit

  • C:\WINDOWS\system\sup.reg
    Filesize

    139B

    MD5

    f83598700d4740fa9eab3af8a538197e

    SHA1

    2753dce95bc40564c8e6deaa17e2cfaae0e84f46

    SHA256

    d3927a477f239d1d13f46171a26bc46a1e38dc9de3d5cf62b248e02fefd383b5

    SHA512

    471e561bd4b2d736c6041eea08ec1e915779357d2a73ab8768e26e49870ce123343945fc667608635ec43fd648e3a195f878de456b12d35cb5f0f237126b244c

    Download Submit

  • C:\WINDOWS\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • C:\WINDOWS\system\users.ini
    Filesize

    170B

    MD5

    86ddf25bedd39ed009d14c02830cfdfd

    SHA1

    87ad5769c818f0a306fdade87c898877438ce2c4

    SHA256

    71393ce6815af3a47889f9211b41c6c9065a93b5198a9b91bcbfff7f6c8eb17c

    SHA512

    f7919b11c4d75f0471e0dd566ea848a09dba8683c1b04ddb030b66691606474b8782522d2b57e246bac76a1fbcbf0bbcaaf56f77bc80a249b2031afa418940b6

    Download Submit

  • C:\Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    1.7MB

    MD5

    b766003f431cad186bd115f5761592d1

    SHA1

    33cdfe6f7fa6b321f9a51cc051c32ba924164b10

    SHA256

    22bdb2606020b82349a629248b599b64235c91e8b450e355a245ef09ece57e1d

    SHA512

    d03cabf713c14a40588ec3d5d7c89be91a0bc2e7b472464ed058b2cce0afe58eaaf7386ce5e6297218b3e677e290625506760ad883412b7f94c3330aa9b9f834

    Download Submit

  • memory/560-56-0x0000000000820000-0x0000000000844000-memory.dmp

    Filesize

    144KB

    Download

  • memory/560-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/560-54-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/560-81-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/560-82-0x0000000000820000-0x0000000000844000-memory.dmp

    Filesize

    144KB

    Download

  • memory/876-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1716-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1832-78-0x0000000000000000-mapping.dmp

    Download