310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/03/2023, 04:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe
Size

2.7MB
MD5

2554bcc09b3f2b34eb3f187bc2448503
SHA1

709046dca1a6c409b5cd7fe773d73a2a654daef5
SHA256

310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96
SHA512

5c32f6fceaeda3446c8d8a8a41f0518a4664044c0e145e5bd70ceb85ee23d82a4301b7b1d47417487a76264f763e4a1ddc5401b66b6d2f85b080c0fa35d65727
SSDEEP

49152:5IaFHeBmL/lIE/lLCsvO8YJTDQ6Vi4HfQDKq0aws7Q5ws+yKSdKmZpCnU6hR4l3g:yBBmecXvvYJnlk4/NqG+Q5ZZKWXqnUAN

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\wofadk.sys	WinNTSetup_x64.exe
File opened for modification	C:\Windows\System32\drivers\wofadk.sys	WinNTSetup_x64.exe

Executes dropped EXE 2 IoCs

pid	Process
1504	WinNTSetup_x64.exe
1228	Process not Found

Loads dropped DLL 12 IoCs

pid	Process
1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe
1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1504	WinNTSetup_x64.exe
1228	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016cba-169.dat	upx
behavioral1/files/0x0006000000016cba-170.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	WinNTSetup_x64.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	1504	WinNTSetup_x64.exe
Token: SeRestorePrivilege	1504	WinNTSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	1504	WinNTSetup_x64.exe
Token: SeBackupPrivilege	1504	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	1504	WinNTSetup_x64.exe
Token: SeRestorePrivilege	1504	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	1504	WinNTSetup_x64.exe
Token: SeTakeOwnershipPrivilege	1504	WinNTSetup_x64.exe
Token: SeManageVolumePrivilege	1504	WinNTSetup_x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	WinNTSetup_x64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1504	1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe	27
PID 1988 wrote to memory of 1504	1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe	27
PID 1988 wrote to memory of 1504	1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe	27
PID 1988 wrote to memory of 1504	1988	310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe	27

C:\Users\Admin\AppData\Local\Temp\310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe
"C:\Users\Admin\AppData\Local\Temp\310cd8af8d26ca13aea48f14d814215ee5306f43d2dbb4b046d85956357bbc96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe
  C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\Imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\BootICE\Booticex64.exe

Filesize
489KB

MD5
7ddd108c095016b0e2e8d6b5b04f93b8

SHA1
3764d75c02c8ce8d2c78203aa9eb7f8018a112e1

SHA256
e1cb831ac9213b52066f934ba0fa80ea8a9de48932452d4142fa085a2ba24fc2

SHA512
36c77eaafed04eb3a337a909a90d4c3eb66e1d36531c6248095906332ea6d03dffc9abd7fbcb3c2101065110e4536c0a89b6320dcab386871b3f9d9e34e40bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimlib\libwim-15.dll

Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x86\DISM\wofadk.sys

Filesize
186KB

MD5
b58305136c4ce3508c0a3c9e48432ac9

SHA1
810ac2ab7b4ec2604b81838977e1c6341136e8db

SHA256
48b2267e2cd998e325a88a4a877e6837fabd7ed3a8649c225de5b9c5ffbbd918

SHA512
dd069a1d68b5b18cd159926517a50b054af7b53417a12c14117e1028f810b8ff8efdea38d7fb260d0bd99ee158a7bc509dfcf939f3fa621a81f6152feabc7a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
91ab9283f0ea8a2e9ae33c217995cd27

SHA1
345a74a1c04c17a31492f3bb1c28e95042a984d9

SHA256
6089966328998690ffabd8e5dd117e96df6b6c9cf13bb61b43c48503dbe8c438

SHA512
491d1b630eef60c73a908884877118d19793fa23509b2174ee5407e271e2ed8613654f5cde9a9f3ecc9ce9a31010b5c02888350c40043c4969270eb0c935290f

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\BootICE\BOOTICEx64.exe

Filesize
489KB

MD5
7ddd108c095016b0e2e8d6b5b04f93b8

SHA1
3764d75c02c8ce8d2c78203aa9eb7f8018a112e1

SHA256
e1cb831ac9213b52066f934ba0fa80ea8a9de48932452d4142fa085a2ba24fc2

SHA512
36c77eaafed04eb3a337a909a90d4c3eb66e1d36531c6248095906332ea6d03dffc9abd7fbcb3c2101065110e4536c0a89b6320dcab386871b3f9d9e34e40bad

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimlib\libwim-15.dll

Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
91ab9283f0ea8a2e9ae33c217995cd27

SHA1
345a74a1c04c17a31492f3bb1c28e95042a984d9

SHA256
6089966328998690ffabd8e5dd117e96df6b6c9cf13bb61b43c48503dbe8c438

SHA512
491d1b630eef60c73a908884877118d19793fa23509b2174ee5407e271e2ed8613654f5cde9a9f3ecc9ce9a31010b5c02888350c40043c4969270eb0c935290f

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
91ab9283f0ea8a2e9ae33c217995cd27

SHA1
345a74a1c04c17a31492f3bb1c28e95042a984d9

SHA256
6089966328998690ffabd8e5dd117e96df6b6c9cf13bb61b43c48503dbe8c438

SHA512
491d1b630eef60c73a908884877118d19793fa23509b2174ee5407e271e2ed8613654f5cde9a9f3ecc9ce9a31010b5c02888350c40043c4969270eb0c935290f

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
91ab9283f0ea8a2e9ae33c217995cd27

SHA1
345a74a1c04c17a31492f3bb1c28e95042a984d9

SHA256
6089966328998690ffabd8e5dd117e96df6b6c9cf13bb61b43c48503dbe8c438

SHA512
491d1b630eef60c73a908884877118d19793fa23509b2174ee5407e271e2ed8613654f5cde9a9f3ecc9ce9a31010b5c02888350c40043c4969270eb0c935290f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd431B.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/1504-173-0x000000013FCC0000-0x000000013FE3F000-memory.dmp

Filesize
1.5MB

Download
memory/1504-174-0x000007FEFAA30000-0x000007FEFAB1A000-memory.dmp

Filesize
936KB

Download