a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32

Analysis

max time kernel
77s
max time network
82s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
Size

396KB
MD5

5c8169f5cca362ce7c22b25eda15fbd8
SHA1

41999d841d4445d7178b2a8625b273c893482403
SHA256

a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32
SHA512

376e6b0fd4457dfa299db1e83673c56830ae3310d516c9a19d7f42ee4b0c83a640e2b244fc9756d9d6dc9243e9a758de862e10140c6a03d66bd26f8c5520ae3a
SSDEEP

12288:uutrzh9xOXkF91QHrdGwQMu/yvSqi39mU6lnm:uutr5OUFnQZGn/Q9i39mZlnm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1932	stepx2.exe
1732	hid.exe
1660	x30811.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c07-74.dat	upx
behavioral1/files/0x0006000000015c07-75.dat	upx
behavioral1/files/0x0006000000015c07-76.dat	upx
behavioral1/files/0x0006000000015c07-78.dat	upx
behavioral1/memory/1660-82-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1660-84-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_7092070	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe

Loads dropped DLL 4 IoCs

pid	Process
1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
1932	stepx2.exe
660	cmd.exe
660	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1740	taskkill.exe
1652	taskkill.exe
1324	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1376 wrote to memory of 1932	1376	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	26
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1932 wrote to memory of 1732	1932	stepx2.exe	27
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 1732 wrote to memory of 660	1732	hid.exe	28
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1740	660	cmd.exe	30
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1652	660	cmd.exe	32
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1324	660	cmd.exe	33
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34
PID 660 wrote to memory of 1660	660	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
"C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe
  "C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\hid.exe
    "C:\Users\Admin\AppData\Local\Temp\hid.exe" /NOCONSOLE yz.bat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c yz.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im svchoost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mamita.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im x11811.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Users\Admin\AppData\Local\Temp\x30811.exe
        
        x30811.exe -a 60 -g yes -o http://y.bethyname.info:8332/ -u redem_guild -p redemxxx5x2 -t 2
        5⤵
        Executes dropped EXE
        
        PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hid.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz.bat

Filesize
177B

MD5
b8c466d2f66004d05f71a5484105e09c

SHA1
0d14cad742e6f2b07d9048b608ad6323986d6564

SHA256
54f81b14c36b97c95717665082984427e61fbd52a36e2ff705a0c64e8415d186

SHA512
91818f7223e530a732b4da1f2adae588a3dad3a9271cf0cd2a8b2b02a724ed01c6570e69836d274db0210c26428215b8ab1d6d15d3a37b47231c2c9a850607e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe

Filesize
347KB

MD5
f83b54e2d32ef76e9417dbadd228dacb

SHA1
ccad473fbec4c815577d3ceca625e3c0c72dbea8

SHA256
2e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7

SHA512
92bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe

Filesize
347KB

MD5
f83b54e2d32ef76e9417dbadd228dacb

SHA1
ccad473fbec4c815577d3ceca625e3c0c72dbea8

SHA256
2e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7

SHA512
92bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280

Download Submit
\Users\Admin\AppData\Local\Temp\hid.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe

Filesize
347KB

MD5
f83b54e2d32ef76e9417dbadd228dacb

SHA1
ccad473fbec4c815577d3ceca625e3c0c72dbea8

SHA256
2e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7

SHA512
92bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280

Download Submit
memory/660-83-0x00000000021E0000-0x00000000022E0000-memory.dmp

Filesize
1024KB

Download
memory/660-80-0x00000000021E0000-0x00000000022E0000-memory.dmp

Filesize
1024KB

Download
memory/660-81-0x00000000021E0000-0x00000000022E0000-memory.dmp

Filesize
1024KB

Download
memory/1376-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1660-84-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1660-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download