Overview

overview

10

Static

static

7

Test.exe

windows7-x64

10

Test.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test.exe

  • Size

    563KB

  • MD5

    fb8898216510c6af50a7aa81e23c35cb

  • SHA1

    41d42f120ba66bc69efb3a2e1af47e197242f3a2

  • SHA256

    c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e

  • SHA512

    bd91d17213daa08918998e1352893cf94e36e1c2d7e6008b59c71bbdcbd7b7b58c1c8accc7b561c0e9421c0fe133fa3af131bc2f9ccbc411c38a7c4680851402

  • SSDEEP

    12288:jXLRoysOFO0XmyVNpCwSnDTWm2kqvqSfyqMFIoiBrRR0GPJT1QxC:jXLRhFC8m2v5GIoiVRRnuxC

Score
10/10
persistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\!_INFO.txt

Ransom Note
WARNING! YOUR FILES ARE ENCRYPTED! Don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! Do not rename your files. It will damage it. The only way to decrypt your files safely is to buy the special decryption software from us. Before paying you can send us up to 2 files for free decryption as guarantee. No database files for test. Send pictures, text, doc files. (files no more than 1mb) You can contact us with the following email [email protected] [email protected] Send us this ID or this file in first email ID: 6XSJPpDFGStCH1FNpiAaexScPo0ha1vujSF86KxHWHo=:b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f

Signatures

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Test.exe
    "C:\Users\Admin\AppData\Local\Temp\Test.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1120
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini
    Filesize

    129B

    MD5

    a526b9e7c716b3489d8cc062fbce4005

    SHA1

    2df502a944ff721241be20a9e449d2acd07e0312

    SHA256

    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

    SHA512

    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

    Download Submit

  • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{65949401-7B2D-4281-A148-DEA6D44CB2BC}\MicrosoftEdgeUpdateSetup_X86_1.3.173.45.exe.360
    Filesize

    1.5MB

    MD5

    fca0dc08346e759d97f483db65da761d

    SHA1

    ade9e3bcaca722f4133b4a224a56e8ae5154c6ec

    SHA256

    b356de3e3786aca76e511a6468e3976ce608d1278decb1017e87d03d94626121

    SHA512

    7b428d87664461d92285ba883ce9e550becbf6a6f3e96691553bb09b6d6527a740f9cc8b5eaf9bc0312d95e1a08b7a393c3874acbdc1ae76defc5d37a243f5b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    14KB

    MD5

    460d7e35e626d6b4bdb5d036c62f2afb

    SHA1

    1a2f3ae4a09eae574aafc27afe2de171e0e5863b

    SHA256

    c545e9c063692010ff9c02cf9d39151971e213e626701cf5fe0e38f31974e8fc

    SHA512

    a216027ee7420c431eaae565083a9b370f261763c65ac17913860926a07d3d26d1cd1eec7c90dff1d308390d163baa5d15d287c9aa8ec402cf8075d33bf42f59

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
    Filesize

    14KB

    MD5

    916186d46d7dc1d46961379ac3701eba

    SHA1

    651ca7b0c1599057ef5b1356bcd5ef177f36d8fa

    SHA256

    27f7ba5fcb8d4fa37e1019ebc93ec57c9f6d8baac09568517fccb849c3bcc520

    SHA512

    6d7e57aa19615fdc7e5bb268cc6584530ae3392269c652420620174122944aaa2888fd3279128e4fd989293d111a695e99533d8c3df3ca354d0b2d7bf1494d53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1567250093\__lock_XXX__
    Filesize

    177B

    MD5

    6269828a455f5b2e470ab7bbf18a4a71

    SHA1

    1120a7b68cc3b8d4c38512f6f5b46cea1999115b

    SHA256

    7a2f326ca41dd6a595b9153391afca052b23ca5fa6827176d9f838f9abfd97bb

    SHA512

    e7e595e7a583d75df2f0b2db341e1165dce0ae0eef5c86b1395faa9a8209ae84e3dcd2fb312d84fc28dd1228500df8eb8f793a3498980c19c2e4fad6d2167376

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\!_INFO.txt
    Filesize

    810B

    MD5

    563ae203674920ff2bf1590d6fe6ab49

    SHA1

    5253e10862151145c7d65989acde853e86603a79

    SHA256

    fe763ae57fded8f889ff08cb4f42215be9cd081e61e1f52d91b3b9c6b2883d01

    SHA512

    7ef9abb94a9d45d600aecb274ea567d50321c8a9a0cabb560a0ba3636360421f0068fd70818ce7321294601a911cdc5f907e02d37b92a3cf95c71307e7e8354f

    Download Submit

  • memory/1120-1655-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-11576-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-5856-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-2619-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-133-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-8524-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-11315-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-3778-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-13108-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-14686-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-17649-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-20410-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-1316-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-1308-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-22906-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-26653-0x0000000000930000-0x0000000000AC7000-memory.dmp

    Filesize

    1.6MB

    Download