Overview

overview

9

Static

static

ef047ff61e...4b.exe

windows7-x64

9

ef047ff61e...4b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    158s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 21:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe

  • Size

    44KB

  • MD5

    28b0b03a1d23529a1f5c59ba7cd6b918

  • SHA1

    f73d4e435c50eb344f95c2c787b73f9ef497200d

  • SHA256

    ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b

  • SHA512

    a6f473015a890c04a32a0ce84ee5283e6e89c32f9ef5a41dfb16b77f122c34e9eed2b6153312002b9c1d97d144cabcbd927d54dbbb79955945d3f567731ff96a

  • SSDEEP

    768:iTGU6btwHyyOJJJJJJJDzaKqA8NCRj0lfAQTQ2O:iif6yHJJJJJJJDzaKJ6CjHQTQ2O

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe
    "C:\Users\Admin\AppData\Local\Temp\ef047ff61ef3a6f96fd308320c85883dea85102520236ffdd3a86b030eeff14b.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EF047F~1.EXE >> NUL
      2⤵
        PID:812

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\122B901E.dll
            Filesize

            18KB

            MD5

            0e2ffeed4f6e3301535f1d77debedc1b

            SHA1

            bf8dabe39876db2ad369702252456ffcfc9541d9

            SHA256

            7cf910da8e6116c9448e9e53781c51051b42c1376976fe6db1af5ad7961e2977

            SHA512

            47afee207001c6d24782197b8a6fb3d1dc6ae4f91d9b5bec975bc482c182d2adb38c0a42281d1629181aeab2b766f97e96d2eb7378b05900e0095fd0f81b50ad

            Download Submit

          • memory/1120-133-0x0000000010000000-0x0000000010011000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1120-134-0x0000000010000000-0x0000000010011000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1120-136-0x0000000010000000-0x0000000010011000-memory.dmp

            Filesize

            68KB

            Download