Overview

overview

10

Static

static

7

8fb826ea46...4f.exe

windows7-x64

10

8fb826ea46...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fb826ea46d4e61c979ad83cf0dd684f.exe

  • Size

    1.1MB

  • MD5

    8fb826ea46d4e61c979ad83cf0dd684f

  • SHA1

    b0f417beea49fec51bb57912f9e719b4d708b22e

  • SHA256

    ee320fdb489f569b02dc934f9e5a12e66a031b3c2a4956d1b29fc4a3f3ab92ba

  • SHA512

    77b2923479a737b315d003e222bfcf0bf4d7cdc843d3ab7654c9ba87a48d34c53803d0ba18d756c9febacd0916f3f410d0d8372a51418d9b8ad2247c0f86d9d5

  • SSDEEP

    24576:W+pA7U7VqM/qVNN1zJaFWJLiuz6B/7wP4QKaYxl2e/:LB7Vq7VTVJac+zB/MPdExl2e/

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb826ea46d4e61c979ad83cf0dd684f.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb826ea46d4e61c979ad83cf0dd684f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DRESJH.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
        3⤵
          PID:2328
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          PID:100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgpnG.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
          3⤵
          • Adds Run key to start application
          PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kduKZ.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
          3⤵
          • Adds Run key to start application
          PID:4988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suxqZ.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\msconfig32\msconfig32.exe" /f
          3⤵
          • Modifies WinLogon for persistence
          PID:1296
      • C:\Windows\msconfig32\msconfig32.exe
        "C:\Windows\msconfig32\msconfig32.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\msconfig32\msconfig32.exe
          C:\Windows\msconfig32\msconfig32.exe
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4676
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
            4⤵
              PID:3812
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
                5⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:2424
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                5⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:1684
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
              4⤵
                PID:4780
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
                  5⤵
                  • Modifies firewall policy service
                  • Modifies registry key
                  PID:2860
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4904
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                  5⤵
                  • Modifies firewall policy service
                  • Modifies registry key
                  PID:824
            • C:\Windows\msconfig32\msconfig32.exe
              C:\Windows\msconfig32\msconfig32.exe
              3⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4552

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\DRESJH.bat
          Filesize

          255B

          MD5

          180e420d8578c4341546b0f2676f52c5

          SHA1

          3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

          SHA256

          27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

          SHA512

          5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DRESJH.txt
          Filesize

          255B

          MD5

          180e420d8578c4341546b0f2676f52c5

          SHA1

          3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

          SHA256

          27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

          SHA512

          5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\kduKZ.bat
          Filesize

          133B

          MD5

          5c5f6bd3f5ab15437a8d5a452f236cc7

          SHA1

          43dc4c4bcee42f7975f0027e2734c57115e5d7ce

          SHA256

          8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

          SHA512

          eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\kduKZ.bat
          Filesize

          133B

          MD5

          5c5f6bd3f5ab15437a8d5a452f236cc7

          SHA1

          43dc4c4bcee42f7975f0027e2734c57115e5d7ce

          SHA256

          8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

          SHA512

          eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qgpnG.bat
          Filesize

          133B

          MD5

          4e99d945ca61ed0b261a73d985f5420e

          SHA1

          ce08b5c3939572703ae753bfa72c0224400d7bb2

          SHA256

          ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

          SHA512

          988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\qgpnG.bat
          Filesize

          133B

          MD5

          4e99d945ca61ed0b261a73d985f5420e

          SHA1

          ce08b5c3939572703ae753bfa72c0224400d7bb2

          SHA256

          ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

          SHA512

          988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suxqZ.bat
          Filesize

          164B

          MD5

          0af5f35091719d8ee61893a158b66625

          SHA1

          1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

          SHA256

          ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

          SHA512

          f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\suxqZ.bat
          Filesize

          164B

          MD5

          0af5f35091719d8ee61893a158b66625

          SHA1

          1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

          SHA256

          ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

          SHA512

          f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

          Download Submit

        • C:\Windows\msconfig32\msconfig32.exe
          Filesize

          1.1MB

          MD5

          28fec9d6a8751dce29e30febe9812904

          SHA1

          b8c734a656357c5ef3a17a2f93f4488f0494fab3

          SHA256

          2971212b5436d622e3378ffba499ac93069dd87c3a88a1d50ea32e6c2d2f78ec

          SHA512

          6813289ebed4bf46aa1e4d75f9d10fd1e1698399f9250f036cd504164c16adfffe48709bab0fee18490cc4dfde20201961abe8c3bc95dae45fae84b20dc390ec

          Download Submit

        • C:\Windows\msconfig32\msconfig32.exe
          Filesize

          1.1MB

          MD5

          28fec9d6a8751dce29e30febe9812904

          SHA1

          b8c734a656357c5ef3a17a2f93f4488f0494fab3

          SHA256

          2971212b5436d622e3378ffba499ac93069dd87c3a88a1d50ea32e6c2d2f78ec

          SHA512

          6813289ebed4bf46aa1e4d75f9d10fd1e1698399f9250f036cd504164c16adfffe48709bab0fee18490cc4dfde20201961abe8c3bc95dae45fae84b20dc390ec

          Download Submit

        • C:\Windows\msconfig32\msconfig32.exe
          Filesize

          1.1MB

          MD5

          28fec9d6a8751dce29e30febe9812904

          SHA1

          b8c734a656357c5ef3a17a2f93f4488f0494fab3

          SHA256

          2971212b5436d622e3378ffba499ac93069dd87c3a88a1d50ea32e6c2d2f78ec

          SHA512

          6813289ebed4bf46aa1e4d75f9d10fd1e1698399f9250f036cd504164c16adfffe48709bab0fee18490cc4dfde20201961abe8c3bc95dae45fae84b20dc390ec

          Download Submit

        • C:\Windows\msconfig32\msconfig32.exe
          Filesize

          1.1MB

          MD5

          28fec9d6a8751dce29e30febe9812904

          SHA1

          b8c734a656357c5ef3a17a2f93f4488f0494fab3

          SHA256

          2971212b5436d622e3378ffba499ac93069dd87c3a88a1d50ea32e6c2d2f78ec

          SHA512

          6813289ebed4bf46aa1e4d75f9d10fd1e1698399f9250f036cd504164c16adfffe48709bab0fee18490cc4dfde20201961abe8c3bc95dae45fae84b20dc390ec

          Download Submit

        • C:\Windows\msconfig32\msconfig32.txt
          Filesize

          1.1MB

          MD5

          28fec9d6a8751dce29e30febe9812904

          SHA1

          b8c734a656357c5ef3a17a2f93f4488f0494fab3

          SHA256

          2971212b5436d622e3378ffba499ac93069dd87c3a88a1d50ea32e6c2d2f78ec

          SHA512

          6813289ebed4bf46aa1e4d75f9d10fd1e1698399f9250f036cd504164c16adfffe48709bab0fee18490cc4dfde20201961abe8c3bc95dae45fae84b20dc390ec

          Download Submit

        • memory/2184-133-0x0000000000400000-0x00000000007D4000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2184-185-0x0000000000400000-0x00000000007D4000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4552-193-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4552-199-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4552-207-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4552-197-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4676-208-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-203-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-206-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-188-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-191-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-210-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-213-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-215-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-220-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-222-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-229-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4676-231-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4812-200-0x0000000000400000-0x00000000007D4000-memory.dmp

          Filesize

          3.8MB

          Download