Overview

overview

8

Static

static

7

d9f7f88e5a...63.exe

windows7-x64

8

d9f7f88e5a...63.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2023 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9f7f88e5aba4e35f7cc1d789c52b397b011a85cd8a538b5e33013ab95479a63.exe

  • Size

    1.8MB

  • MD5

    f530f34385a0503f33b8045574cdb791

  • SHA1

    ffd0a6c8e939ab54a27c01d4dc26b004d528f280

  • SHA256

    d9f7f88e5aba4e35f7cc1d789c52b397b011a85cd8a538b5e33013ab95479a63

  • SHA512

    c55ec9879ec1671bb45cde26203e29be1b5c89fbb257c8a8c1618b468be4528a848a04e63a2832571af3bcaddfb2004097af8ca83183f7d7eee8322169c31114

  • SSDEEP

    24576:v3w+aesSr4NxtFgnvBnG192XBmPL8hoxTNuKl8Whgwl/VeTsYfXUTvR0MhyOVToX:z/4Nx0nZn7Y8GSKlEGeTsYfOJBW+z8b

Score
8/10
upx

Malware Config

Signatures

  • Downloads MZ/PE file
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9f7f88e5aba4e35f7cc1d789c52b397b011a85cd8a538b5e33013ab95479a63.exe
    "C:\Users\Admin\AppData\Local\Temp\d9f7f88e5aba4e35f7cc1d789c52b397b011a85cd8a538b5e33013ab95479a63.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat
    Filesize

    37B

    MD5

    5b52c1e3cd1c8d7780ee1ce8cd83e619

    SHA1

    a54602713df79b12adcb08696543e5b4f061f51c

    SHA256

    5cb46e16b07394e4f23a1529397cf5f3fc6f4ace32ddde4f8ab7470317a4be2a

    SHA512

    bc2c3dba0111944b6dcf2051ef5cc4dd495b0b46f3d847c66c2039d5d190c0983e50bff372d05446da45efaf4f5db2f7f391d1d7f5b54f9232753b55b9243d1d

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
    Filesize

    8B

    MD5

    3b0f2d77e15beb3b85e8ef752d6a3bd3

    SHA1

    9a39f2dd186749fea11b84e53cfa77194eed88d3

    SHA256

    b171e283c6145acf2b923098dbbc40ffc39b4f1db0212928f9869747376c4ac8

    SHA512

    998af177560b6f6e225d9dfe1ae7799cdeec81ae437654c210197dce1cd41f3f9dac087dfef0652caba6b0c5fcdae50b29c2c96862b76ab3712227fb937d61c8

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\NCload_main.xml
    Filesize

    2KB

    MD5

    811f9698afed38a3c45add85f6477a9b

    SHA1

    40a7b4765e2d118fbe0530491b27b3c92f55a21c

    SHA256

    b45700bb1957a69af27badcf54e06f517bceda0a44ee0e7473ed823f8738eef7

    SHA512

    275f8ba0ec223e615b4a374d84b794b61db516543182c12c77094a53a661559d766b6d0d134f67e39eb60270e4cca15a1d576b8cfdecad2016d452195db4593f

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\activity.xml
    Filesize

    37KB

    MD5

    2a35c19903898813bf26669963632a66

    SHA1

    f6a62afd9899b694c9c64b73f2099ddbc12bbb63

    SHA256

    157dd969b149fbf946a7f0f9a89ee6aea93021da5133edb822bd6a8c398660e2

    SHA512

    2c9612b93246b4d36c574e71e944cacd7eddb8e52563ca55e2a69ae6a8b357b199e656738ef91df0eb02b5cd6890f5c9e1de35ff8c02a5dbc1a80fa277a1857d

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\crop.xml
    Filesize

    2.5MB

    MD5

    e59a1bc1cd90fd0867ebd4344ce553ee

    SHA1

    aea2f2b18a611e9f911bb8406a7f3c9709627d31

    SHA256

    aeecb43355f0c1cace9abb776da17bf0db65a9557c08c886208e1cbb4b20e450

    SHA512

    8360a2ec7f15778515192d94ebba681087d5c7fc2dfa0b570438d9532c5dc27201ba39da12c931697d2848cf36ad866546acb4a3c306025858ee6d87bc3a6c62

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll
    Filesize

    558KB

    MD5

    5f86d65a1686e6bb031048d04bb3fe04

    SHA1

    08052c7dda12c53971dd5600223cfb3a47283998

    SHA256

    39531152d763dd51da8ae6a50b206f296a07410602cdb399c991987e8a11f6b4

    SHA512

    970e9965236cfb827848e93de3ad0132cde0a57cbee38ad72441dc65fb824ea6c749e5993cd948231bb881d4cf6dfc735231b643d58b64de1f81caff91987e5b

    Download Submit
  • C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll
    Filesize

    140KB

    MD5

    e503921a6061251302cb45772cb75f42

    SHA1

    b84a9daf1250dd33962feb6faaa122273a0b29a2

    SHA256

    970bfe2045464dfda89a1cd262f09813ab9c9ceb3c7375f02bca8aeecdc4cfcb

    SHA512

    d52b471d3e71e255d5bc7c9f04e141e80e750482183b770fdc35c08c0cc696c66643bc7074ebbeb2f9d95b6b728666414ad0ae5908f16e9a6e21d159dce33c48

    Download Submit
  • memory/3608-152-0x0000000000C50000-0x0000000000C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-148-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-163-0x0000000011000000-0x0000000011179000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3608-164-0x0000000012000000-0x000000001205F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/3608-165-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-151-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-149-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-199-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-200-0x0000000011000000-0x0000000011179000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3608-133-0x0000000000C50000-0x0000000000C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-147-0x0000000004B70000-0x0000000004B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3608-212-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-215-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-218-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-221-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-226-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-232-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-238-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-244-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/3608-247-0x0000000000400000-0x000000000095A000-memory.dmp
    Filesize

    5.4MB

    Download