586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30

Analysis

max time kernel
3s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f90db90919147d8d78cd6bb75401cf45.exe
Size

334KB
MD5

f90db90919147d8d78cd6bb75401cf45
SHA1

cd5213f1efe2f09f846d77fe8b4401739d42155e
SHA256

586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30
SHA512

e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085
SSDEEP

6144:OYa6n+tGdxEVV9HBfc3AP9srpWatYOVRd9+F4AyAIBp3ahNAW8XsaLcPncB2:OYNAgAgK9s8atdbf9Im9ca0cB2

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	zipguge.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1160-143-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\frdnx = "C:\\Users\\Admin\\AppData\\Roaming\\wtwklmktexxebr\\pepnknlvetqnvf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zipguge.exe\" C:\\Users\\Admin\\Ap"	zipguge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1380	1284	f90db90919147d8d78cd6bb75401cf45.exe	84
PID 1284 wrote to memory of 1380	1284	f90db90919147d8d78cd6bb75401cf45.exe	84
PID 1284 wrote to memory of 1380	1284	f90db90919147d8d78cd6bb75401cf45.exe	84

C:\Users\Admin\AppData\Local\Temp\f90db90919147d8d78cd6bb75401cf45.exe
"C:\Users\Admin\AppData\Local\Temp\f90db90919147d8d78cd6bb75401cf45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\zipguge.exe
  "C:\Users\Admin\AppData\Local\Temp\zipguge.exe" C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zha
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\zipguge.exe
    "C:\Users\Admin\AppData\Local\Temp\zipguge.exe"
    3⤵
    PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zha

Filesize
7KB

MD5
34460fb4f84ad9cdbe4e24b77752437d

SHA1
ed7d6b57ca7662e069cbdee69fd73cf6d2701d8e

SHA256
b3fb80fe2450104084e20acd43a9930ba14bf13246c4d374e1e36c8594f2dec4

SHA512
d72f0f2f8b5fb00b73c8a4ef7a8410015638ce6bd5665cd585285735ac1ff8de9eab972e22c265e1b24bece19efc7212d64ecaf9b5f0b44fd192e3183b4e5433

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwkrasyudl.j

Filesize
250KB

MD5
200df3463b32028243e5afd190df206c

SHA1
a45550c563b60b8a29859031f5b94ab107f44087

SHA256
bac67949e660a912516c259a225059b672f8839fbf1f5c54cd86783ecbba9df7

SHA512
257a5e595d366d8786b827cc60b285af7db66dd707d18df24f5dd6200d0d3d35c8dacfd010cb2940399ed2acb1cb8e93c06a26213dbe120b770fda39c2572581

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe

Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipguge.exe

Filesize
60KB

MD5
1a4b87e0f57b0a94b7fc65e9a30e5ad0

SHA1
924e54b4b0298c8c0843796bfab0e41c2310eb3e

SHA256
b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe

SHA512
755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a

Download Submit
memory/1160-143-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download