bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

Analysis

max time kernel
21s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
Size

8.6MB
MD5

551f83e52d985497f7601601d95b85bd
SHA1

1303d690f2089a91f5669e094ea2562e101e3b69
SHA256

bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA512

6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
SSDEEP

98304:J/tgS++cwcaS+/t3S++cwcaS+/tJS++cwcaS+/tcS++cwcaS+/t/tRcwcaS+/tBq:nJAiFVF6JAiFVs6JAiFV

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1480	notpad.exe
464	tmp7126687.exe
1532	tmp7127997.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000013a0c-55.dat	upx
behavioral1/files/0x0008000000013a0c-58.dat	upx
behavioral1/files/0x0008000000013a0c-56.dat	upx
behavioral1/files/0x0008000000013a0c-59.dat	upx
behavioral1/memory/1480-63-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1480-73-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000133af-70.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
1480	notpad.exe
1480	notpad.exe
1480	notpad.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
File created	C:\Windows\SysWOW64\notpad.exe	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
File created	C:\Windows\SysWOW64\notpad.exe-	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7126687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7126687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7126687.exe
File created	C:\Windows\SysWOW64\fsb.stb	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7126687.exe
File created	C:\Windows\SysWOW64\fsb.tmp	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126687.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1480	1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe	28
PID 1472 wrote to memory of 1480	1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe	28
PID 1472 wrote to memory of 1480	1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe	28
PID 1472 wrote to memory of 1480	1472	bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe	28
PID 1480 wrote to memory of 464	1480	notpad.exe	29
PID 1480 wrote to memory of 464	1480	notpad.exe	29
PID 1480 wrote to memory of 464	1480	notpad.exe	29
PID 1480 wrote to memory of 464	1480	notpad.exe	29
PID 1480 wrote to memory of 1532	1480	notpad.exe	30
PID 1480 wrote to memory of 1532	1480	notpad.exe	30
PID 1480 wrote to memory of 1532	1480	notpad.exe	30
PID 1480 wrote to memory of 1532	1480	notpad.exe	30

C:\Users\Admin\AppData\Local\Temp\bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
"C:\Users\Admin\AppData\Local\Temp\bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\tmp7127997.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7127997.exe
    3⤵
    - Executes dropped EXE
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
8.6MB

MD5
551f83e52d985497f7601601d95b85bd

SHA1
1303d690f2089a91f5669e094ea2562e101e3b69

SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
8.6MB

MD5
551f83e52d985497f7601601d95b85bd

SHA1
1303d690f2089a91f5669e094ea2562e101e3b69

SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7127997.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
8.6MB

MD5
551f83e52d985497f7601601d95b85bd

SHA1
1303d690f2089a91f5669e094ea2562e101e3b69

SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
8.8MB

MD5
4663bee45f91039d1cb064e25da357ef

SHA1
59b892ee11e017bcee472c919f301b88e8270619

SHA256
078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687

SHA512
fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
8.8MB

MD5
4663bee45f91039d1cb064e25da357ef

SHA1
59b892ee11e017bcee472c919f301b88e8270619

SHA256
078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687

SHA512
fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
8.6MB

MD5
551f83e52d985497f7601601d95b85bd

SHA1
1303d690f2089a91f5669e094ea2562e101e3b69

SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7126687.exe

Filesize
8.6MB

MD5
551f83e52d985497f7601601d95b85bd

SHA1
1303d690f2089a91f5669e094ea2562e101e3b69

SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce

SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7127997.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
8.8MB

MD5
4663bee45f91039d1cb064e25da357ef

SHA1
59b892ee11e017bcee472c919f301b88e8270619

SHA256
078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687

SHA512
fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
8.8MB

MD5
4663bee45f91039d1cb064e25da357ef

SHA1
59b892ee11e017bcee472c919f301b88e8270619

SHA256
078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687

SHA512
fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c

Download Submit
memory/1472-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1480-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1480-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download