Overview

overview

7

Static

static

1

pu5xtvhm.exe

windows7-x64

7

pu5xtvhm.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2023, 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pu5xtvhm.exe

  • Size

    420KB

  • MD5

    e85fa08c1ed20440363e2e44eced6299

  • SHA1

    e0867a371a5c6bfdf6bd84470b188f0817b4d23a

  • SHA256

    c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

  • SHA512

    73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

  • SSDEEP

    6144:g/v3nlCZp4WBAo8+zcJHZNIp4id9q/7ygt2k/BFi+Vrh+Z6QFn5EzMJ1:E/lppJHwp5e/viEg6z81

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pu5xtvhm.exe
    "C:\Users\Admin\AppData\Local\Temp\pu5xtvhm.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\pu5xtvhm.exe" "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:2000
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:1676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1556-54-0x00000000003C0000-0x000000000042E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1556-55-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1556-56-0x0000000001EC0000-0x0000000001F0A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1556-57-0x0000000000520000-0x0000000000538000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1556-58-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1556-60-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1556-61-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1556-62-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1556-63-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download