Overview

overview

10

Static

static

8

31a0773edd...28.exe

windows7-x64

10

31a0773edd...28.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928.exe

  • Size

    563KB

  • MD5

    cb937632cfcaed9b85db096338b8b446

  • SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

  • SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

  • SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

  • SSDEEP

    12288:jjtju6APFo38dPbUpLbQJNBWQ40twjbY+lEIPD3Lkua:jAPq3SbUeXVF+aIPD3LkR

Score
10/10
evasiontrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 36 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928.exe
    "C:\Users\Admin\AppData\Local\Temp\31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928.exe
      "C:\Users\Admin\AppData\Local\Temp\31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\ProgramData\Smrsa.exe
        "C:\ProgramData\Smrsa.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:592
  • C:\ProgramData\Smrse.exe
    C:\ProgramData\Smrse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\ProgramData\Smrse.exe
      "C:\ProgramData\Smrse.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1552
  • C:\ProgramData\Smrse.exe
    C:\ProgramData\Smrse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\ProgramData\Smrse.exe
      "C:\ProgramData\Smrse.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • C:\ProgramData\Smrse.exe
    Filesize

    563KB

    MD5

    cb937632cfcaed9b85db096338b8b446

    SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

    SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

    SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

    Download Submit

  • C:\ProgramData\Smrse.exe
    Filesize

    563KB

    MD5

    cb937632cfcaed9b85db096338b8b446

    SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

    SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

    SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

    Download Submit

  • C:\ProgramData\Smrse.exe
    Filesize

    563KB

    MD5

    cb937632cfcaed9b85db096338b8b446

    SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

    SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

    SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

    Download Submit

  • C:\ProgramData\Smrse.exe
    Filesize

    563KB

    MD5

    cb937632cfcaed9b85db096338b8b446

    SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

    SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

    SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

    Download Submit

  • C:\ProgramData\Smrse.exe
    Filesize

    563KB

    MD5

    cb937632cfcaed9b85db096338b8b446

    SHA1

    a682f6247377d71a2953ed7a27bdcd016601e180

    SHA256

    31a0773eddee340e030c3be34336346b60b373e31acc942a443006b5fe225928

    SHA512

    c7a5e7026bfd22825fd4c241f08dd7de6b67d6a74f13504cf8284435493a457c18b145e89ced5f91282b0a17c1f79ffaf6969ee9149cffd023ba807979c6281c

    Download Submit

  • \ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • \ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • \ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • \ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • \ProgramData\Smrsa.exe
    Filesize

    32KB

    MD5

    36ddeac2e4efaef6b7a23873319b0d26

    SHA1

    f82df553d5d645980b6d8cf50e5636a0966cc348

    SHA256

    ae7f942e4b8b2b0fae132b848bc29e933a43d74e136966c9c41cb8607b9cd626

    SHA512

    f865ecca31a50278a89e74cf35c02eb966e8b9d619c585fa1caa206817b55bbc1271bd8d5f5787cf3df670ea7471bf0fa92f6360f2ab2ee1422371293206a587

    Download Submit

  • memory/320-77-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/320-85-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/552-100-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1152-72-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1152-57-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1152-55-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1468-60-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1468-61-0x00000000003C0000-0x00000000003CB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1552-101-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1552-102-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1556-97-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download