Overview

overview

10

Static

static

10

3af6bf3832...af.exe

windows7-x64

7

3af6bf3832...af.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe

  • Size

    16.8MB

  • MD5

    0ee4fb241171bccc49b242101ad50901

  • SHA1

    a8b3e341d88a56ca73ce15aa3ddcebddfac29c09

  • SHA256

    3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af

  • SHA512

    10a54e85f38d976801ad9fa123c4dd8c044b54ec35f87b6463540eaf2e1a12976f85fd6c2e5c25b9b536982c20e1c9d2e21854db9e6a87a2ccce158efde8c305

  • SSDEEP

    196608:mU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStmalLXx:n7d9xZo7d9xZS7d9xZo7d9xZ9alLX

Score
7/10
persistenceupx

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe
    "C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
      2⤵
      • Drops startup file
      PID:4420
    • C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe
      C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe
        C:\Users\Admin\AppData\Local\Temp\3af6bf3832ef4fca74ee05e5d824bdf56bda49558221d2444acc423e12c226af.exe
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:4608
      • C:\Windows\SysWOW64\diskperf.exe
        "C:\Windows\SysWOW64\diskperf.exe"
        3⤵
          PID:4804

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4424-142-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4424-136-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-143-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-144-0x0000000007180000-0x0000000007181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4424-138-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-139-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4424-141-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-140-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4424-156-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-135-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4424-137-0x0000000000400000-0x0000000000628000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/4424-146-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4424-155-0x0000000000400000-0x0000000001400000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4608-154-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4608-150-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4608-161-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4608-159-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4764-134-0x0000000000400000-0x0000000000449000-memory.dmp
      Filesize

      292KB

      Download