Overview

overview

8

Static

static

8

1c180f8f48...8d.exe

windows7-x64

8

1c180f8f48...8d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2022, 10:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1c180f8f480b87a62ffdfbd4dc32ac664e6913d03b112fd3df780bb9f821a78d.exe

  • Size

    424KB

  • MD5

    bf6f7ef2802705565d33ad4c9225acda

  • SHA1

    d9a921d6e4f0d206e646700513eda143db239635

  • SHA256

    1c180f8f480b87a62ffdfbd4dc32ac664e6913d03b112fd3df780bb9f821a78d

  • SHA512

    4151218298bf9111465b4b5d140f85abc01872cad4b54dbdefb2e061cbc4f09b6c03f4c6fe202f6034c2e41b70ee754be4bf5cefb15b902ac0b1a966cb916ec3

  • SSDEEP

    6144:JHEmrnWIHf5Kt4m6bkyotM4dxtsXgrNfl0EUl0srjnLoL:JHEmjH/5KtEbkRtM0jflnUWILoL

Score
8/10
persistenceransomwareupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c180f8f480b87a62ffdfbd4dc32ac664e6913d03b112fd3df780bb9f821a78d.exe
    "C:\Users\Admin\AppData\Local\Temp\1c180f8f480b87a62ffdfbd4dc32ac664e6913d03b112fd3df780bb9f821a78d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\users\Public\conlhost.exe
      "C:\users\Public\conlhost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\users\Public\del.bat
        3⤵
          PID:1040
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
          3⤵
          • Adds Run key to start application
          PID:4808
        • C:\Windows\SysWOW64\REG.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
          3⤵
            PID:3420

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\conlhost.exe
              Filesize

              424KB

              MD5

              73d40a7543887c4917a276e1656df3be

              SHA1

              e1e8350e9c3c0255ea4ec3b06df9f7152a892e0c

              SHA256

              b295aae70568e6d818374a3e4d26bfafaa3e62fb54518407e29706f50831125a

              SHA512

              a2a55f2f7e262a4074858f0ee2e6f98e2c3c14f165c3099a3cd0e71207b107225de3fb71e3a4a1f065e9aa989e1e07fa55bab68c64621be7e370f284121ed098

              Download Submit

            • C:\users\Public\conlhost.exe
              Filesize

              424KB

              MD5

              73d40a7543887c4917a276e1656df3be

              SHA1

              e1e8350e9c3c0255ea4ec3b06df9f7152a892e0c

              SHA256

              b295aae70568e6d818374a3e4d26bfafaa3e62fb54518407e29706f50831125a

              SHA512

              a2a55f2f7e262a4074858f0ee2e6f98e2c3c14f165c3099a3cd0e71207b107225de3fb71e3a4a1f065e9aa989e1e07fa55bab68c64621be7e370f284121ed098

              Download Submit

            • C:\users\Public\del.bat
              Filesize

              130B

              MD5

              4a10d2eaab8a222e888fa2b88b12dff6

              SHA1

              2d447620e65394cf6845400bcdd17d17b28d2c4b

              SHA256

              b1ad335243ba308ada99c910694811952f28e2f3a3ddd15bd2c7de3b20e0687c

              SHA512

              8f1d2b7bdcaa6f8f96baf5ff021ca8b4e1d44ec1487f35919c09023201987d3851a9b8ed733507ab1b20b04adc7b88cb723dcfa728115a6405f19219c87c397a

              Download Submit

            • memory/2968-140-0x0000000000300000-0x000000000036E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/2968-141-0x0000000000300000-0x000000000036E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4152-132-0x0000000000310000-0x000000000037E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4152-133-0x0000000000310000-0x000000000037E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/4152-137-0x0000000000310000-0x000000000037E000-memory.dmp

              Filesize

              440KB

              Download