5049de4c58ea923723389e4d732f1c134dc38582971f4872593e1153db945078

Analysis

max time kernel
645s
max time network
652s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/01/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HuyNTVideo.exe
Size

314.8MB
MD5

2537d96011fc12adbd3814700f73ba86
SHA1

77c0870b22138eac4e44f559e2f684c58d53c345
SHA256

5049de4c58ea923723389e4d732f1c134dc38582971f4872593e1153db945078
SHA512

c6883ff0c119f1ea6cbdbdcb7d10dc54200fccc4e52f0f8e31beb1107658342a1d35495696e818b0f4d64dabef2a11435ca5fe9930d17d9d936ddf663fdbbc19
SSDEEP

393216:BgwQpSMi96IB8AQPjluYUtoOOzSpVM5EKg70xV3DAii:BgwQpVi96JAQMAcbc/i

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1168	MicrosofOffice.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1352-54-0x000000013FD20000-0x000000013FDE3000-memory.dmp	upx
behavioral1/memory/1352-61-0x000000013FD20000-0x000000013FDE3000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1352	HuyNTVideo.exe
1168	MicrosofOffice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1168	1352	HuyNTVideo.exe	27
PID 1352 wrote to memory of 1168	1352	HuyNTVideo.exe	27
PID 1352 wrote to memory of 1168	1352	HuyNTVideo.exe	27

C:\Users\Admin\AppData\Local\Temp\HuyNTVideo.exe
"C:\Users\Admin\AppData\Local\Temp\HuyNTVideo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\onefile_1352_133195572891330000\MicrosofOffice.exe
  "C:\Users\Admin\AppData\Local\Temp\HuyNTVideo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1352_133195572891330000\MicrosofOffice.exe

Filesize
25.4MB

MD5
6bf1c18a736e35458f189db5af5892b1

SHA1
c447e9badcbd73ae73d3b45b90e426a65cc3ffcd

SHA256
31ff983931b25478666c62efb57fa4bb01da57594b8bf6c4d9f5c579a9d3b849

SHA512
66588eb7f98235914d709a9f66f5015b5fc25f52fbf415927778a509689799526c8e64f1c66b6af9128486dc1f9f3ba2d6dab32d82fc33497d74ea508ce04156

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1352_133195572891330000\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1352_133195572891330000\MicrosofOffice.exe

Filesize
25.4MB

MD5
6bf1c18a736e35458f189db5af5892b1

SHA1
c447e9badcbd73ae73d3b45b90e426a65cc3ffcd

SHA256
31ff983931b25478666c62efb57fa4bb01da57594b8bf6c4d9f5c579a9d3b849

SHA512
66588eb7f98235914d709a9f66f5015b5fc25f52fbf415927778a509689799526c8e64f1c66b6af9128486dc1f9f3ba2d6dab32d82fc33497d74ea508ce04156

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1352_133195572891330000\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
memory/1352-54-0x000000013FD20000-0x000000013FDE3000-memory.dmp

Filesize
780KB

Download
memory/1352-60-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/1352-61-0x000000013FD20000-0x000000013FDE3000-memory.dmp

Filesize
780KB

Download