d0343c3575a7f1caf5d53ce8322ff8a748e009af9dcc924b6ecb75524d000b21

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
Size

1.6MB
MD5

e221de400b5cfb955cb0973e189da049
SHA1

af8000af453527e4901fb534143c455a4e68e9ce
SHA256

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1
SHA512

aba03236398d59ca93bb56f8a7f512f9b7fc4aa279c70332287b35833d9840eee5a1067c3800e3def9be81f51a3bee5bac71c35423606f047b427f295fb5b387
SSDEEP

24576:WKMlgd2tUtSuoL3Mj+B4OrUgeAI7GiFsJ9FU+Z6ehMFxY+bSQzMwRaZOrD:RAtUguoL3Mj+ZIgqGi+FU+ZZz+eQzwOH

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Engine.exe

pid process

1028 Engine.exe
Loads dropped DLL 1 IoCs

Processes:

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe

pid process

1988 0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe

pid	process
1028	Engine.exe

pid	process
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe	upx
behavioral1/memory/1028-90-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/880-96-0x0000000002750000-0x0000000002790000-memory.dmp	upx
behavioral1/memory/1028-98-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1028-99-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exe0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe

pid	process
880	powershell.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
880	powershell.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 880 powershell.exe

description	pid	process
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exeEngine.exeCmD.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1988 wrote to memory of 1028	1988	0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe	Engine.exe
PID 1028 wrote to memory of 876	1028	Engine.exe	CmD.exe
PID 1028 wrote to memory of 876	1028	Engine.exe	CmD.exe
PID 1028 wrote to memory of 876	1028	Engine.exe	CmD.exe
PID 1028 wrote to memory of 876	1028	Engine.exe	CmD.exe
PID 876 wrote to memory of 888	876	CmD.exe	cmd.exe
PID 876 wrote to memory of 888	876	CmD.exe	cmd.exe
PID 876 wrote to memory of 888	876	CmD.exe	cmd.exe
PID 876 wrote to memory of 888	876	CmD.exe	cmd.exe
PID 888 wrote to memory of 880	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 880	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 880	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 880	888	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe
"C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe /TH_ID=_2004 /OriginExe="C:\Users\Admin\AppData\Local\Temp\0f407885972527820e108a66a95f8d0917d185a8244ca3a762a28bb53fe430d1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < Dynamics
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00000#All
Filesize
13KB

MD5
b760db51ea80f3affb6d560363467cc6

SHA1
1fc7dfdf6e7ab710e8fb72e7b811a8b0733bc437

SHA256
5265907c3206d6997cf7948e09527f87d82893ea6f282009d16207020951e32a

SHA512
1ed267cbb86675130fc3cfcad54f2978d6448bb9638c9e8b12e76bf43700de9c2ddfec1ffdd4675cd962e4ec5762f297d249aa3447026b74f822e899aea748f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00001#Bow
Filesize
149KB

MD5
480593e4e45c2aae97d43acfd72cc303

SHA1
7d410fedb3638039e3acb6dab7fbd87c11d3f569

SHA256
fd5ea03406b9219d335f2333081d085e5b3619ca3328fba6c1fe8d648912766e

SHA512
5b8016abe13de58925cbdb41f7e4693ad14aaed14d25640b9c98ce6fd29b89f5e512b3afc45c0d2d185045100ad0f6d8c6285e21ac780efad2c0e0be4ac02e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00002#Bumper
Filesize
16KB

MD5
7d6f12a386d1c9e6cf9916c3173c5932

SHA1
6f19920c185eb9e549a9c5732e10296f36f5e4a4

SHA256
056e281b03196c827913481ddd2c0299daef2668b76779a1dbb612e42f74fae2

SHA512
345ad236b57f89b0b0c3f1f26f692fdea3933b73dd993e4960cd46593ea99e4b59b848e967ec53e0332141b1527c5c524a500e469f572c02777bcb0d386a2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00003#Dynamics
Filesize
14KB

MD5
8287ce1d975af35e954e923b5921457a

SHA1
fd61d52c8d2776b874f2508fff0384f985f7cf97

SHA256
492308217b40ff311e9775bc71d8b42fbf781add2660f3cf5ece897cbe280078

SHA512
ab95b1b072d1adaef6b90cabf3ebdbd3a3d413da688b728a4cb277dad317d19c9e2c7b4f8eecd703392ba7157805e1bb122bb84b207b072d5b2785223190a9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00004#Immunology
Filesize
151KB

MD5
aa17279505ac32160034f8a8839e8f80

SHA1
b49b784bdde5a031ac5d48e46d933f46cee6927c

SHA256
534059d1faebac35160fbe7f8faef0b9eec47aaeebf42137bdca98e8fd972242

SHA512
4f55c0c355cb619056e415a9cc1762515a878b1fa9ccc9ed521b5f54c3684ac577ca7bb2a22fd87ea255767299d828a27b5a19f264d9ac4da36b716f240397cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00005#Manga
Filesize
1.1MB

MD5
56a8a8e2e85abe12c648ae6eee609f43

SHA1
fac9d4f4f0de4dba79a22990eb689eceaaf37192

SHA256
d3f732f5b4878880012ab6edcd21b761a317ea2abbc25e510f9f1c3932d2cb71

SHA512
bcd3b99219efbfc4b2aee914ce031dd5327687cd197c4c0fa69ed11bb3559288ec046680b6e5113bc1237be29ff515af32c198a4f7341973ca93e3ca8cc57c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00006#Memory
Filesize
44KB

MD5
e7e32c2a8485d1a2e30168429aba09db

SHA1
328513ea848a9ba4b05ad7b35f738a71a5e46b06

SHA256
8bba3408bea12bdf541766bbb2a9ddf8dfa022143544ea2b38ca41c6e506ea21

SHA512
1c0fa5062dccf716baa9ea3d84be60029a7985bd183ee302095bcf533f9745e3364852dce566c067fd3ac02cefb243558a7cf353cffa1c0528c00701c47f875d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00007#Placing
Filesize
99KB

MD5
055856c7f7226fe771420003504e17df

SHA1
97c63783438858506c09e0c2a970dade78ce3e3b

SHA256
326bb3ac0eab85a22ff6a44605a90981677de22ebe17e91ba4040a53dc3477b9

SHA512
2b14994236ae3d150ef1901354f5cad326faec15158d9b54a4eb137a1be6f7d1d0cb388508a230318c2c29886a1370a90767a24e9b1148c5d0b69ebd337a43ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00008#Qatar
Filesize
142KB

MD5
42a92fad3aa782c144303db85e9b6160

SHA1
93478cb63986524c2dbd41fcede84da181bac4fd

SHA256
95e4a393a2ce9a18b1fbb23e4c5a07b357b508fb3c31179cc419cdbb7ed75535

SHA512
b2b76f91f578cea2aa5df6673bc5183b5ae99cafb654d660c6dcc0987d0d11558e6d32fbfc559de143979577bf1f80be7b2f4b9fa9e397a0e71b66d46ce49d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00009#Queue
Filesize
43KB

MD5
840d3174c45bcc69db130dbc34d3498d

SHA1
76c644e82095263e26c2190cd90c15875824a315

SHA256
e6e611a76be9a29768c8f33e6bdb1e70d5ce5a61146e129413e4679ff9e8f97b

SHA512
adb7e724b8acf30a8da90a93e4916703a57f3a77aa2471f50b430b5d41b20e82ceece4fb122421a27811b1b955e73c4087b88ebe5b7168a69b46a743bef6c473

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00010#Solutions
Filesize
154KB

MD5
14895da525fc0a0d06ecf2bcb92dbc1f

SHA1
f163aaa6c2e31a0e3d98812991896e6aa7bd2008

SHA256
313af3d2356141806da23dc7039e7ea2d03234db3e308146f2eed1b731a29a87

SHA512
3ae4f2d2e4c93e5000e7148bf63a0b209a9fcc53b1006be20fc6067a0de1656504323a1d9e4bba4fbd1cb3d41f4b3fd477eb0c2def634d74de89c4d11416842b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\00011#Sox
Filesize
114KB

MD5
aafe487839ee160aa8ee5a2da5f1e0f0

SHA1
1e403c7a922a44f032d1e080f5601d43ee669eba

SHA256
3708f149999be9e4ead2209ba82259ae2b8b45fd29edcd878343e312f9b48dc1

SHA512
c9884c782ccb69745680c877d5ad9177084af1ac01fa7ac0ce690372856cb763839cba5e38ed989a26074c79bccf7cb10f19689ba44643bb27baece8bd52cd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe
Filesize
429KB

MD5
7b596c0cbb9056107ed4783184805501

SHA1
a6397b178a3c51dbc987eca124f0f8a64a5c2115

SHA256
ce5ccd3d4effb9c453d8847bfb4d056f874d92593d816bcd39ba5ad15be738c9

SHA512
1d20386dbbf4cc7effa449fcfe5d9880d712a1678cb5f3c10ac5789cf29034a998a23802f5694c8d6eaf5d9b1f8d703fad179d7dacad2cf5f8d16c30792fc248

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29932\Setup.txt
Filesize
2KB

MD5
45168af3c3c98607fbb30dbc1092a9d2

SHA1
95b16f76585e4f2be132dcef3157ce6bd8f98d07

SHA256
693ddfd2143b7b238ee2b0a7a75a11dcb269d9555e5da9c43c71fb1b1809c845

SHA512
c2e70115924d8153ceab6c3f4b707f9b43fc9a17f2a630c1c4ff0c46df1b359c76b997f25ecef1f842dc768e538274b2c01530af3797d7dd67376f2c84f57050

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_29932\Engine.exe
Filesize
429KB

MD5
7b596c0cbb9056107ed4783184805501

SHA1
a6397b178a3c51dbc987eca124f0f8a64a5c2115

SHA256
ce5ccd3d4effb9c453d8847bfb4d056f874d92593d816bcd39ba5ad15be738c9

SHA512
1d20386dbbf4cc7effa449fcfe5d9880d712a1678cb5f3c10ac5789cf29034a998a23802f5694c8d6eaf5d9b1f8d703fad179d7dacad2cf5f8d16c30792fc248

Download Submit
memory/880-95-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/880-96-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/880-94-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1028-90-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1028-91-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1028-98-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1028-99-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1988-89-0x0000000002120000-0x0000000002277000-memory.dmp

Filesize
1.3MB

Download
memory/1988-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1988-103-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download