8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a

Analysis

max time kernel
226s
max time network
310s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 17:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe
Size

875KB
MD5

624c538765c1275360fb607155ebc8d1
SHA1

2fae8966c0bdf09ec6033a1f270439236f355490
SHA256

8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a
SHA512

5e711dcec4bee6cb3d26f6dfe06bb5ff51f71ae75be71733368b2731d0544a9e9440c99b9113d1c11e6402ff54fcce2017fe56d2fae9b3edbdaafcd1d6082973
SSDEEP

24576:KimM0bT0T0Vff6cvkPbEbMlHUYxtJISGZ9:QM0P0T0tfjEEolH34f

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
752	Project1.exe
460	setup.exe
1388	Hacker.com.cn.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122f7-62.dat	upx
behavioral1/files/0x000a0000000122f7-65.dat	upx
behavioral1/memory/460-67-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x000a0000000122f7-69.dat	upx
behavioral1/files/0x000a0000000122f7-70.dat	upx
behavioral1/files/0x000a0000000122f7-71.dat	upx
behavioral1/files/0x000a0000000122f7-72.dat	upx
behavioral1/memory/460-75-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x00090000000122f9-77.dat	upx
behavioral1/files/0x00090000000122f9-79.dat	upx
behavioral1/memory/1388-81-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1388-84-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe
2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe
2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe
460	setup.exe
460	setup.exe
460	setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	setup.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	setup.exe
File created	C:\Windows\uninstal.bat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	setup.exe
Token: SeDebugPrivilege	1388	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1388	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 752	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	28
PID 2020 wrote to memory of 752	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	28
PID 2020 wrote to memory of 752	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	28
PID 2020 wrote to memory of 752	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	28
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 2020 wrote to memory of 460	2020	8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe	29
PID 1388 wrote to memory of 968	1388	Hacker.com.cn.exe	31
PID 1388 wrote to memory of 968	1388	Hacker.com.cn.exe	31
PID 1388 wrote to memory of 968	1388	Hacker.com.cn.exe	31
PID 1388 wrote to memory of 968	1388	Hacker.com.cn.exe	31
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32
PID 460 wrote to memory of 848	460	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe
"C:\Users\Admin\AppData\Local\Temp\8f0da65841d9b7fa5c59f6296011f76f58ec0fe78304049f625b67036b83267a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\Project1.exe
  "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:848

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
374KB

MD5
072a1585d235f98146005a5658814eef

SHA1
6f7fb5366ea5bac02f5f2da0325622dcd5cd686c

SHA256
29009325160edd41feece33716318e02bfd97cb31af21dc72ffa3c33652065d2

SHA512
2a95bb4d6db90b1cb2d59274b41d1a9cc6bad5bde7504d536f510a2e605417d8137096989a9e8f1026913467e862dc592966212e1294b0303225ce4310a3a43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
C:\Windows\uninstal.bat

Filesize
136B

MD5
f778d975ee8c33cc1bf0aac643511b5a

SHA1
9c39883a06e1713c1dc1f9afbe15086dd697e052

SHA256
ef09f5caee20112e2a6a7184ef27c370d82cbe5aa745166d8ad75bc38df463ce

SHA512
6a0beb7fdfd4cd33c83cd0ea5254df2a8a4e548ba20fcb1b52135716909f6f01941ab7193ffcdc295d792df1432e7fc6de506bbdbb9526a07c38c6c59b2086ee

Download Submit
\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
374KB

MD5
072a1585d235f98146005a5658814eef

SHA1
6f7fb5366ea5bac02f5f2da0325622dcd5cd686c

SHA256
29009325160edd41feece33716318e02bfd97cb31af21dc72ffa3c33652065d2

SHA512
2a95bb4d6db90b1cb2d59274b41d1a9cc6bad5bde7504d536f510a2e605417d8137096989a9e8f1026913467e862dc592966212e1294b0303225ce4310a3a43d

Download Submit
\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
374KB

MD5
072a1585d235f98146005a5658814eef

SHA1
6f7fb5366ea5bac02f5f2da0325622dcd5cd686c

SHA256
29009325160edd41feece33716318e02bfd97cb31af21dc72ffa3c33652065d2

SHA512
2a95bb4d6db90b1cb2d59274b41d1a9cc6bad5bde7504d536f510a2e605417d8137096989a9e8f1026913467e862dc592966212e1294b0303225ce4310a3a43d

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
295KB

MD5
2b588cb2a583451d32b4c91eda08cab4

SHA1
4a73887a1fc2021304d044d2604614c24ae963e9

SHA256
43b5db2ef473e66e0c90139fdaabbf465b114fbfdae0555907f6565d30f9b3d6

SHA512
ca5f90d0eebf8b6bf294889414045b10d88d14548874c15c4c35bf80bef11367d9ccc54fb97597c0e1f027be9e70bbc9b01b65c2821d60378c3511411de5c19f

Download Submit
memory/460-76-0x0000000000930000-0x00000000009F8000-memory.dmp

Filesize
800KB

Download
memory/460-74-0x0000000000930000-0x00000000009F8000-memory.dmp

Filesize
800KB

Download
memory/460-67-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/460-75-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/460-73-0x0000000000930000-0x00000000009F8000-memory.dmp

Filesize
800KB

Download
memory/1388-81-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1388-84-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2020-56-0x0000000000280000-0x00000000002D2000-memory.dmp

Filesize
328KB

Download
memory/2020-66-0x0000000000280000-0x00000000002D2000-memory.dmp

Filesize
328KB

Download
memory/2020-54-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/2020-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2020-57-0x0000000003360000-0x0000000003366000-memory.dmp

Filesize
24KB

Download
memory/2020-55-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download