d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501

Analysis

max time kernel
60s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Size

359KB
MD5

06f781ede87426513ee6059c9b14ec8d
SHA1

244e8d3e9629ec670a4d26c1588f57489ed69ccf
SHA256

d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501
SHA512

f9ecf22bccc2a547f962c6d1d2290a961422bf9ec3414d084a0e01db75404932adb3df35b923c6a09ac24bf90be094668b6edeca5baa58028301481142d5a88f
SSDEEP

6144:4DIEP+Y8a/Kvm5vOE5vacd/avLo7xafsG2n256C/rTvU6LjJoxGq6IEGncgpoi1:YIEPiqKvmM0vCqkfsG2nS6C//rFYGq6E

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
772	3C.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1400-167-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
772	3C.exe
772	3C.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: SeIncBasePriorityPrivilege	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: 33	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: SeIncBasePriorityPrivilege	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: 33	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: SeIncBasePriorityPrivilege	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: 33	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: SeIncBasePriorityPrivilege	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
Token: 33	772	3C.exe
Token: SeIncBasePriorityPrivilege	772	3C.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 772	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe	28
PID 1400 wrote to memory of 772	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe	28
PID 1400 wrote to memory of 772	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe	28
PID 1400 wrote to memory of 772	1400	d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe	28
PID 772 wrote to memory of 1264	772	3C.exe	14
PID 772 wrote to memory of 1264	772	3C.exe	14
PID 772 wrote to memory of 1264	772	3C.exe	14
PID 772 wrote to memory of 1264	772	3C.exe	14

C:\Users\Admin\AppData\Local\Temp\d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe
"C:\Users\Admin\AppData\Local\Temp\d00e80ce4db538b428346de2db1cf2c9346ac2584d18756a6eee4a36c8a1a501.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1431.02.21T19.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\3C.exe
  "C:\Users\Admin\AppData\Local\Temp\3C.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1431.02.21T19.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\3C.exe

Filesize
17KB

MD5
2dc5901d28a2a5a07fd1bad6223495a9

SHA1
98d5bee6291c558e54b976f08dbdb42dd41958ea

SHA256
d6078adca4893bf57edf3a96e5eb0e450c9b4897f84bdb953e0bbd28e4e2ed91

SHA512
aab782b3149ca80b2fb4dabb533b7d1d2307838029e3ca043fc56054c57b48cdc07e554aa5aa9b31b8dbdde3dbc4b654a77c828cc5d7a7d287cbad87a4dae3c9

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\1431.02.21T19.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\3C.exe

Filesize
17KB

MD5
2dc5901d28a2a5a07fd1bad6223495a9

SHA1
98d5bee6291c558e54b976f08dbdb42dd41958ea

SHA256
d6078adca4893bf57edf3a96e5eb0e450c9b4897f84bdb953e0bbd28e4e2ed91

SHA512
aab782b3149ca80b2fb4dabb533b7d1d2307838029e3ca043fc56054c57b48cdc07e554aa5aa9b31b8dbdde3dbc4b654a77c828cc5d7a7d287cbad87a4dae3c9

Download Submit
memory/772-681-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/772-680-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/772-676-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/772-675-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/772-674-0x000000000026B000-0x000000000026D000-memory.dmp

Filesize
8KB

Download
memory/772-673-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1400-97-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-109-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-75-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-77-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-79-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-81-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-83-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-85-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-87-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-89-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-91-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-93-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-95-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-57-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-99-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-101-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-103-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-105-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-107-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-73-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-111-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-113-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-115-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-117-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-167-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1400-169-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-364-0x000000000027B000-0x000000000027D000-memory.dmp

Filesize
8KB

Download
memory/1400-71-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-69-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-65-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-67-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-63-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-54-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-61-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-59-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-55-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-682-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1400-683-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download