271d8bf13f96188684e0f68446f16084ec6d8c231837c45e3ec3ebb73062574d

Resubmissions

23-02-2023 14:03

230223-rcnzwsga69 10

20-01-2023 12:25

16-01-2023 12:00

15-01-2023 04:12

15-01-2023 04:01

15-01-2023 03:56

15-01-2023 01:02

15-01-2023 00:38

Analysis

max time kernel
30s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-01-2023 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
Size

1.6MB
MD5

9f7aaf3a9a3f325dd533ecc38d85a351
SHA1

1ebdc55b96e11d9b924fbba8c5fa1799ff247970
SHA256

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd
SHA512

0afdcb5362be67938d00baaeb3974af3ad2b7342c8024ec2390ce87bad4c6252e4c8277a0bb36979cdcb4036aa9f7dc93ac23f78acdd04033c3086fa3fd7286f
SSDEEP

24576:yWmAFubS9dt9Mcp5CPu4YV5GaCxYiluVuTY4PRVGEw6GPDp5MwNrsJjF2GKGI8L:q29dRpYW4YV5QxYiET8ahPDMwNrs2y

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Engine.exe

pid process

2040 Engine.exe

pid	process
2040	Engine.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe	upx
behavioral1/memory/2040-60-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/2040-72-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe

pid process

1792 88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1696 powershell.exe
1696 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1696 powershell.exe

pid	process
1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe

pid	process
1696	powershell.exe
1696	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exeEngine.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 1792 wrote to memory of 2040	1792	88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe	Engine.exe
PID 2040 wrote to memory of 1920	2040	Engine.exe	cmd.exe
PID 2040 wrote to memory of 1920	2040	Engine.exe	cmd.exe
PID 2040 wrote to memory of 1920	2040	Engine.exe	cmd.exe
PID 2040 wrote to memory of 1920	2040	Engine.exe	cmd.exe
PID 1920 wrote to memory of 1092	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1092	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1092	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1092	1920	cmd.exe	cmd.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1696	1092	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
"C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe /TH_ID=_1252 /OriginExe="C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < 4
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_3284\00000#4
Filesize
12KB

MD5
4839bb17c0c82a044dbd0072c6c98cb6

SHA1
3c06dcc178dd8a8e2290b746cfc7e704a537c91f

SHA256
a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2

SHA512
13d607b989efca3105363a10f481ef02fdcfcd5da4a267da0b87f3f2417456e672337c8e6332e0be286f6401bea203149a1cd23a24a8006f689b32e9d6199b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\00001#45
Filesize
872KB

MD5
a3b85111ecdfc29672319893192bb7fd

SHA1
4ec865fd387eade4cd0b0ad8cabd68cae89ac8d5

SHA256
ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367

SHA512
0c9e75843ebe962246a0fd2d15e2b90ae71257aac15ee7b1cf12a3fc383a144fef5959c0a81c7d9f55ef6893937b1a9868a7c2546d70045c40810a7b3a0be804

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\00002#7
Filesize
1.5MB

MD5
536073c3748e4eb7bbee303547b7227d

SHA1
4397b1d855e799f4d38467a848cda2273c1c6c73

SHA256
8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3

SHA512
3b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe
Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3284\Setup.txt
Filesize
2KB

MD5
ae90fca8c12f2c43c468fbd0954381f7

SHA1
d475bb8f5891ab5f4c7cd2c90847cbfa68758842

SHA256
d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720

SHA512
6880c7b658b7852bfcd597a57fd6e85f8a218e18d7acc248edc8efb2bea5a61063c4eeb5ae48008cc07408501c1af0eefc6a9010820ba823ab3fe66dae1f9041

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_3284\Engine.exe
Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
memory/1092-67-0x0000000000000000-mapping.dmp

Download
memory/1696-68-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-71-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-59-0x0000000002090000-0x00000000021E8000-memory.dmp

Filesize
1.3MB

Download
memory/1792-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1920-66-0x0000000000000000-mapping.dmp

Download
memory/2040-60-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download
memory/2040-72-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download