Overview

overview

8

Static

static

88b426437c...fd.exe

windows7-x64

8

88b426437c...fd.exe

windows10-2004-x64

8

Resubmissions

23-02-2023 14:03

230223-rcnzwsga69 10

20-01-2023 12:25

230120-plqhzaff6y 10

16-01-2023 12:00

230116-n6kyjsad9v 10

15-01-2023 04:12

230115-esqr7sdg4v 10

15-01-2023 04:01

230115-elc8jahg27 8

15-01-2023 03:56

230115-ehjk5shf75 8

15-01-2023 01:02

230115-bebjksbg8w 10

15-01-2023 00:38

230115-azcfyafg72 8

Analysis

  • max time kernel
    192s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2023 00:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe

  • Size

    1.6MB

  • MD5

    9f7aaf3a9a3f325dd533ecc38d85a351

  • SHA1

    1ebdc55b96e11d9b924fbba8c5fa1799ff247970

  • SHA256

    88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd

  • SHA512

    0afdcb5362be67938d00baaeb3974af3ad2b7342c8024ec2390ce87bad4c6252e4c8277a0bb36979cdcb4036aa9f7dc93ac23f78acdd04033c3086fa3fd7286f

  • SSDEEP

    24576:yWmAFubS9dt9Mcp5CPu4YV5GaCxYiluVuTY4PRVGEw6GPDp5MwNrsJjF2GKGI8L:q29dRpYW4YV5QxYiET8ahPDMwNrs2y

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe
    "C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe
      C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe /TH_ID=_2740 /OriginExe="C:\Users\Admin\AppData\Local\Temp\88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd < 4
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avastui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell get-process avgui
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2428
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^ibXEdmiVmigethPmiCeveAlmmdbbRGVlGZgkrkVHBRdIphNCcvDTejGGhntqwKrSktcyZDvWGxUklCdjCVwceeizaHYEiVGRNbvySICSZHhIac$" 45
            5⤵
              PID:2004
            • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pif
              17473\\Champion.exe.pif 17473\\S
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1728
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4480
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 18
              5⤵
              • Runs ping.exe
              PID:3240
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2056
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:760
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Drops desktop.ini file(s)
        • Checks processor information in registry
        • Modifies registry class
        PID:2512
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:4224
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap26217:96:7zEvent31124 -t7z -sae -- "C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7z"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1500
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7z
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:4896

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        def65711d78669d7f8e69313be4acf2e

        SHA1

        6522ebf1de09eeb981e270bd95114bc69a49cda6

        SHA256

        aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

        SHA512

        05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        ddc1fd34c017ade33953a0c52c535e9f

        SHA1

        8e0d6001a34911b73efc335bb96131ddd42febcc

        SHA256

        7e910fd375bfc3d99435cdfc16da2680768cc28e15fba5a52f64ffa3bb43abda

        SHA512

        a55bf6a7b235893e27a27a4d9f4aef406d53c227fc4fc6d0b98427790ebc195b28044f0aa0a64ab75bc1348918c4a3cd720b5685f291c10a13b49f228d76a638

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda.7z
        Filesize

        961KB

        MD5

        001b3bc84e3fa8f6ee4d6db14aa55927

        SHA1

        ebf65852f7eda23fa534ec09b6723979a7490496

        SHA256

        9a83a0903128c5ffff229cfdc21a67754b53cecb4e3068e6a2ce4589d5e6c431

        SHA512

        f8ce2dfd2a0353395a5cd154f25797727e65579bc1315c95f37a02c3e231e6e1ac9d5b0978d5fc2a4b857041c9d8debaf8c56341158cd7dce0572dfa9dee578e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pif
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\5col3ccv.tda\17473\Champion.exe.pif
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00000#4
        Filesize

        12KB

        MD5

        4839bb17c0c82a044dbd0072c6c98cb6

        SHA1

        3c06dcc178dd8a8e2290b746cfc7e704a537c91f

        SHA256

        a7e6636cd2ba510513484cfea9201884f64f7b664951402b909caf9728704ec2

        SHA512

        13d607b989efca3105363a10f481ef02fdcfcd5da4a267da0b87f3f2417456e672337c8e6332e0be286f6401bea203149a1cd23a24a8006f689b32e9d6199b55

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00001#45
        Filesize

        872KB

        MD5

        a3b85111ecdfc29672319893192bb7fd

        SHA1

        4ec865fd387eade4cd0b0ad8cabd68cae89ac8d5

        SHA256

        ec8149d7c157e53108c089f07b8d2bf1156b8c1f8632c938a2130279927e2367

        SHA512

        0c9e75843ebe962246a0fd2d15e2b90ae71257aac15ee7b1cf12a3fc383a144fef5959c0a81c7d9f55ef6893937b1a9868a7c2546d70045c40810a7b3a0be804

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\00002#7
        Filesize

        1.5MB

        MD5

        536073c3748e4eb7bbee303547b7227d

        SHA1

        4397b1d855e799f4d38467a848cda2273c1c6c73

        SHA256

        8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3

        SHA512

        3b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe
        Filesize

        392KB

        MD5

        a7a99a201774531d761f6aac2651a9df

        SHA1

        b122ae368c4bf103e959a6ebb54ddb310117ab96

        SHA256

        e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

        SHA512

        056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Engine.exe
        Filesize

        392KB

        MD5

        a7a99a201774531d761f6aac2651a9df

        SHA1

        b122ae368c4bf103e959a6ebb54ddb310117ab96

        SHA256

        e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

        SHA512

        056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Modern_Icon.bmp
        Filesize

        7KB

        MD5

        1dd88f67f029710d5c5858a6293a93f1

        SHA1

        3e5ef66613415fe9467b2a24ccc27d8f997e7df6

        SHA256

        b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

        SHA512

        7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\SETUP_3286\Setup.txt
        Filesize

        2KB

        MD5

        ae90fca8c12f2c43c468fbd0954381f7

        SHA1

        d475bb8f5891ab5f4c7cd2c90847cbfa68758842

        SHA256

        d9f67a975a877aa95e76821542311adb21704988d8452916d5b51feeeff3e720

        SHA512

        6880c7b658b7852bfcd597a57fd6e85f8a218e18d7acc248edc8efb2bea5a61063c4eeb5ae48008cc07408501c1af0eefc6a9010820ba823ab3fe66dae1f9041

        Download Submit
      • memory/1348-136-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1348-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1348-154-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1348-162-0x0000000000400000-0x0000000000558000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1572-144-0x0000000002220000-0x0000000002256000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1572-149-0x0000000005AF0000-0x0000000005B0E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1572-150-0x0000000006CC0000-0x0000000006D56000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1572-151-0x0000000005FC0000-0x0000000005FDA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1572-152-0x0000000006010000-0x0000000006032000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1572-153-0x0000000007310000-0x00000000078B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1572-148-0x00000000054E0000-0x0000000005546000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1572-147-0x0000000005340000-0x00000000053A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1572-146-0x00000000052A0000-0x00000000052C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1572-145-0x0000000004C40000-0x0000000005268000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1572-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1728-159-0x0000000000000000-mapping.dmp
        Download
      • memory/1904-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2004-158-0x0000000000000000-mapping.dmp
        Download
      • memory/2308-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2428-155-0x0000000000000000-mapping.dmp
        Download
      • memory/3240-161-0x0000000000000000-mapping.dmp
        Download
      • memory/4480-163-0x0000000000000000-mapping.dmp
        Download
      • memory/4480-164-0x0000000001000000-0x00000000010A6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/4480-166-0x0000000005690000-0x0000000005722000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4896-169-0x0000000000000000-mapping.dmp
        Download