f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277

Analysis

max time kernel
56s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe
Size

787KB
MD5

08adf398fed5f5bea3bae485bae811b8
SHA1

faff79b101556bfc58c8751c010f533f2462b9bf
SHA256

f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277
SHA512

79321cab8f5458f40223bc1000243bca3a22fc2059981e68291c4634838dbdc00d14aef7c7d1e42ad6615af13bb864510a1cdb9201ad8de88f0b2dd7a8b7d10f
SSDEEP

24576:NFE//Tct4bOsJDMxKEEJ+7IAlEW/wys5Dyp+h:HSVJDMIEQAeWVgh

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
516	server.exe
572	server.exe
1580	MORPH_~1.EXE
1628	MORPH_~1.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1168-54-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/files/0x000a000000012314-56.dat	upx
behavioral1/files/0x000a000000012314-58.dat	upx
behavioral1/memory/1168-60-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/files/0x000a000000012314-61.dat	upx
behavioral1/memory/516-62-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/516-67-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe
516	server.exe
516	server.exe
572	server.exe
572	server.exe
572	server.exe
1580	MORPH_~1.EXE
1580	MORPH_~1.EXE
1628	MORPH_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1168-60-0x0000000000400000-0x00000000004D5000-memory.dmp	autoit_exe
behavioral1/memory/516-62-0x0000000000400000-0x00000000004D5000-memory.dmp	autoit_exe
behavioral1/memory/516-67-0x0000000000400000-0x00000000004D5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 1628	1580	MORPH_~1.EXE	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\server.exe	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe
File opened for modification	C:\Program Files (x86)\server.exe	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	MORPH_~1.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 516	1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe	28
PID 1168 wrote to memory of 516	1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe	28
PID 1168 wrote to memory of 516	1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe	28
PID 1168 wrote to memory of 516	1168	f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe	28
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 516 wrote to memory of 572	516	server.exe	29
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 572 wrote to memory of 1580	572	server.exe	30
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31
PID 1580 wrote to memory of 1628	1580	MORPH_~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe
"C:\Users\Admin\AppData\Local\Temp\f5b7717ca008bb0fb9b905c45348b5abb7954b05d0cec39277d0e3b614e3a277.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\server.exe
  "C:\Program Files (x86)/server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp/server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\server.exe

Filesize
451KB

MD5
444052129d59a345be4ec1e52069c46c

SHA1
1a3dbd187a3d5915ebd291656a44418f7509ce5e

SHA256
e67c6c7edcf6ca854919a8487c63144797c4f35da9ec963d88a7cea3f3491fde

SHA512
47f8680574e76db21318caf5ef5c10e9fcb114e1fd6ff16e26f197a16cea6b97831b14273721e342e096d5920a14d4d588b3ef321ace1ee958b58cc932fcec8a

Download Submit
C:\Program Files (x86)\server.exe

Filesize
451KB

MD5
444052129d59a345be4ec1e52069c46c

SHA1
1a3dbd187a3d5915ebd291656a44418f7509ce5e

SHA256
e67c6c7edcf6ca854919a8487c63144797c4f35da9ec963d88a7cea3f3491fde

SHA512
47f8680574e76db21318caf5ef5c10e9fcb114e1fd6ff16e26f197a16cea6b97831b14273721e342e096d5920a14d4d588b3ef321ace1ee958b58cc932fcec8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
178KB

MD5
c12ca016e3217f565e4549991bcf374e

SHA1
2e1fe9f5beec11d18226a30281f36946b25ad2d5

SHA256
4a0b5c22493c5f4e421b40b2e0efa0c7d87b964ca69a7ced20dae684bacb6616

SHA512
1a69c10ef347efc34868ffcfd70fd18712e216d88df4bdc491066190d592f82136234fdaaea2b721243e1a79546b91d2d82b7c7c6737040c658fd98a31d2acaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
178KB

MD5
c12ca016e3217f565e4549991bcf374e

SHA1
2e1fe9f5beec11d18226a30281f36946b25ad2d5

SHA256
4a0b5c22493c5f4e421b40b2e0efa0c7d87b964ca69a7ced20dae684bacb6616

SHA512
1a69c10ef347efc34868ffcfd70fd18712e216d88df4bdc491066190d592f82136234fdaaea2b721243e1a79546b91d2d82b7c7c6737040c658fd98a31d2acaf

Download Submit
\Program Files (x86)\server.exe

Filesize
451KB

MD5
444052129d59a345be4ec1e52069c46c

SHA1
1a3dbd187a3d5915ebd291656a44418f7509ce5e

SHA256
e67c6c7edcf6ca854919a8487c63144797c4f35da9ec963d88a7cea3f3491fde

SHA512
47f8680574e76db21318caf5ef5c10e9fcb114e1fd6ff16e26f197a16cea6b97831b14273721e342e096d5920a14d4d588b3ef321ace1ee958b58cc932fcec8a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MORPH_~1.EXE

Filesize
54KB

MD5
ec3900ee96a799b2b9123901c2bc8e4e

SHA1
a2dac1b1624b8cc074439663694ddf1a9bfebcb0

SHA256
642ff6813d068063a8ab6491f81cf339e2ceb0da1ac8c36eb1e76d5fe783c4c2

SHA512
3873e5a4247caa0a375bc606b4440e42d12958dc6cd9511dc3dd6d67e889314ee9fdfc3126468823a2fd964ed1bf4ae978f5db70d857caae72a7f802fdd79090

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
178KB

MD5
c12ca016e3217f565e4549991bcf374e

SHA1
2e1fe9f5beec11d18226a30281f36946b25ad2d5

SHA256
4a0b5c22493c5f4e421b40b2e0efa0c7d87b964ca69a7ced20dae684bacb6616

SHA512
1a69c10ef347efc34868ffcfd70fd18712e216d88df4bdc491066190d592f82136234fdaaea2b721243e1a79546b91d2d82b7c7c6737040c658fd98a31d2acaf

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
178KB

MD5
c12ca016e3217f565e4549991bcf374e

SHA1
2e1fe9f5beec11d18226a30281f36946b25ad2d5

SHA256
4a0b5c22493c5f4e421b40b2e0efa0c7d87b964ca69a7ced20dae684bacb6616

SHA512
1a69c10ef347efc34868ffcfd70fd18712e216d88df4bdc491066190d592f82136234fdaaea2b721243e1a79546b91d2d82b7c7c6737040c658fd98a31d2acaf

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
178KB

MD5
c12ca016e3217f565e4549991bcf374e

SHA1
2e1fe9f5beec11d18226a30281f36946b25ad2d5

SHA256
4a0b5c22493c5f4e421b40b2e0efa0c7d87b964ca69a7ced20dae684bacb6616

SHA512
1a69c10ef347efc34868ffcfd70fd18712e216d88df4bdc491066190d592f82136234fdaaea2b721243e1a79546b91d2d82b7c7c6737040c658fd98a31d2acaf

Download Submit
memory/516-67-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/516-62-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1168-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1168-60-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1168-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1580-87-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-88-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-89-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download