89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/04/2023, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
Size

2.5MB
MD5

6e5a161828537db623b6a761f441f7a7
SHA1

d49d324aba6525926d4ce03ecb3793550a7ee46c
SHA256

89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c
SHA512

4653e8daa30b22083bc20a47d44ca44a4d86e1c4f3f6edf902a3cf9c67a578da24b5e8f6dc37043b73242e9c1c565d111972247d780fb84eab36d336536a7747
SSDEEP

49152:XFAOqOepGRO2ho8ir+6NJSD5QRQt9t8TmdRNm9Ok1QoWskYRRsanPEOc:XFALOW6LhoRJSNuQRVdRN0zWsfRRsaPM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1712	Project.exe
1256	Process not Found
1764	_config.exe
112	_config.exe

Loads dropped DLL 3 IoCs

pid	Process
924	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
1712	Project.exe
1256	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1536	helppane.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	helppane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1536	helppane.exe
1536	helppane.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1712	924	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	28
PID 924 wrote to memory of 1712	924	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	28
PID 924 wrote to memory of 1712	924	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	28
PID 924 wrote to memory of 1712	924	89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe	28
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1712 wrote to memory of 1764	1712	Project.exe	30
PID 1536 wrote to memory of 112	1536	helppane.exe	32
PID 1536 wrote to memory of 112	1536	helppane.exe	32
PID 1536 wrote to memory of 112	1536	helppane.exe	32
PID 1536 wrote to memory of 112	1536	helppane.exe	32
PID 112 wrote to memory of 1772	112	_config.exe	33
PID 112 wrote to memory of 1772	112	_config.exe	33
PID 112 wrote to memory of 1772	112	_config.exe	33
PID 112 wrote to memory of 1772	112	_config.exe	33

C:\Users\Admin\AppData\Local\Temp\89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe
"C:\Users\Admin\AppData\Local\Temp\89780102068a6bd2e67bb50d52c2f2adc6d59bfd79ac219cab707de9afeb120c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\_config.exe
    "C:\Users\Admin\AppData\Local\Temp\_config.exe"
    3⤵
    - Executes dropped EXE
    PID:1764

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\_config.exe
  "C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AACCCCCEEE" /f
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AACCCCCEEE" /f
    3⤵
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK64.dll

Filesize
66KB

MD5
c3eeef64ff9dc524cc7c4203275ee722

SHA1
86ffc7bc5d1eb7e15efa61cb49afbdcbf6c8fa53

SHA256
48dc6c16ba5d372020eb7eab20933a8c4c93a4697038c6a2e0122a2a49c94258

SHA512
2898ed6efadcb0a83a74c6930cd47fc1a23f903eb44a1c9a9507dcd2792f02db1262ada9af6d8ebf2a89ef68ddc8dceb80788d859ba5ddab11b4110be547ad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe

Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.lnk

Filesize
2KB

MD5
b55245bbc81cb26a37692d42f100027c

SHA1
3435fbbc7c8227f17fe3bb098d54fb9d55f61261

SHA256
403931e004015f2a89b2e04a535653ff6c0765ef360fddc4b45f0665bc0b6c42

SHA512
39c3b6d1ce35aceb770b88fef1db1121342d5df3dea26b2f42a3fcc2c13323d20a335256fa9c60a8da8e08aba77856957605e768686eecafef681c40596174a3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe

Filesize
12.2MB

MD5
3a86831e8a40942a3b52b106918233c6

SHA1
e99eb909340269ae614d26c1e95489ae803b1000

SHA256
01f7d004ea6dbad4b2d9a12aa42a3bf6745c96cf356367cad51f8d001b247738

SHA512
2c3250dbdf5d9ad7ed6aed816e2c4e01ee9c564b175c455920cfce204b090e1863bb63e53951ecd587b4755bf85492708e575fc306c7ebf6f1de1c65d118b78c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK64.dll

Filesize
66KB

MD5
c3eeef64ff9dc524cc7c4203275ee722

SHA1
86ffc7bc5d1eb7e15efa61cb49afbdcbf6c8fa53

SHA256
48dc6c16ba5d372020eb7eab20933a8c4c93a4697038c6a2e0122a2a49c94258

SHA512
2898ed6efadcb0a83a74c6930cd47fc1a23f903eb44a1c9a9507dcd2792f02db1262ada9af6d8ebf2a89ef68ddc8dceb80788d859ba5ddab11b4110be547ad9d

Download Submit
memory/1712-67-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1712-72-0x0000000000400000-0x0000000001045000-memory.dmp

Filesize
12.3MB

Download
memory/1712-84-0x0000000000400000-0x0000000001045000-memory.dmp

Filesize
12.3MB

Download