939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/04/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Size

4.0MB
MD5

a025165c579fba8e8595adac40211bf1
SHA1

06a5bc6c7dee37a007c730e610baf8b9587b798f
SHA256

939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0
SHA512

81f10c96aac37582e93885c16b63f27bfccec8afd7e816ed1d404b50319580daead0ef34f18f9032559d17b9ce711dc7eeb2225e20fdc4de567066c659f81ef2
SSDEEP

98304:2+jC3ZbbodNTxYMgQkueXmLs21In2B3hQ4bpt1ls:2Rpbbku7Qku7fuU3hQG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1408	41792834.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001424f-62.dat	upx
behavioral1/files/0x000800000001424f-63.dat	upx
behavioral1/memory/1408-92-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/files/0x0006000000014adf-109.dat	upx
behavioral1/files/0x00060000000144c1-103.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1408	41792834.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeRestorePrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: 33	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeIncBasePriorityPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: 33	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeIncBasePriorityPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: 33	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeIncBasePriorityPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: 33	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeIncBasePriorityPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeRestorePrivilege	1408	41792834.exe
Token: 35	1408	41792834.exe
Token: SeSecurityPrivilege	1408	41792834.exe
Token: SeSecurityPrivilege	1408	41792834.exe
Token: 33	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
Token: SeIncBasePriorityPrivilege	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1744	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	28
PID 1244 wrote to memory of 1744	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	28
PID 1244 wrote to memory of 1744	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	28
PID 1244 wrote to memory of 1744	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	28
PID 1744 wrote to memory of 1716	1744	cmd.exe	30
PID 1744 wrote to memory of 1716	1744	cmd.exe	30
PID 1744 wrote to memory of 1716	1744	cmd.exe	30
PID 1744 wrote to memory of 1948	1744	cmd.exe	31
PID 1744 wrote to memory of 1948	1744	cmd.exe	31
PID 1744 wrote to memory of 1948	1744	cmd.exe	31
PID 1244 wrote to memory of 1324	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	32
PID 1244 wrote to memory of 1324	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	32
PID 1244 wrote to memory of 1324	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	32
PID 1244 wrote to memory of 1324	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	32
PID 1324 wrote to memory of 1360	1324	cmd.exe	34
PID 1324 wrote to memory of 1360	1324	cmd.exe	34
PID 1324 wrote to memory of 1360	1324	cmd.exe	34
PID 1324 wrote to memory of 932	1324	cmd.exe	33
PID 1324 wrote to memory of 932	1324	cmd.exe	33
PID 1324 wrote to memory of 932	1324	cmd.exe	33
PID 1244 wrote to memory of 676	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	36
PID 1244 wrote to memory of 676	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	36
PID 1244 wrote to memory of 676	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	36
PID 1244 wrote to memory of 676	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	36
PID 676 wrote to memory of 1408	676	cmd.exe	38
PID 676 wrote to memory of 1408	676	cmd.exe	38
PID 676 wrote to memory of 1408	676	cmd.exe	38
PID 676 wrote to memory of 1408	676	cmd.exe	38
PID 1244 wrote to memory of 616	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	39
PID 1244 wrote to memory of 616	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	39
PID 1244 wrote to memory of 616	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	39
PID 1244 wrote to memory of 616	1244	939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe	39
PID 616 wrote to memory of 756	616	cmd.exe	41
PID 616 wrote to memory of 756	616	cmd.exe	41
PID 616 wrote to memory of 756	616	cmd.exe	41
PID 616 wrote to memory of 1512	616	cmd.exe	42
PID 616 wrote to memory of 1512	616	cmd.exe	42
PID 616 wrote to memory of 1512	616	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe
"C:\Users\Admin\AppData\Local\Temp\939139b9113519b79a8eef47e64c2af38717c57c351194f1871727ecd77e02f0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;"|find /i "C:\Users\Admin\AppData\Local\Temp\41792834;">nul&&echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"||echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;""
    3⤵
    PID:1716
- - C:\Windows\system32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp\41792834;"
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834;"|find /i "C:\Program Files\7-Zip;">nul&&echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834"||echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834;C:\Program Files\7-Zip"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\find.exe
    find /i "C:\Program Files\7-Zip;"
    3⤵
    PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834;""
    3⤵
    PID:1360
- C:\Windows\system32\cmd.exe
  cmd.exe /c set path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Temp\41792834;C:\Program Files\7-Zip>nul&&"41792834.exe" -aoa -y -p"zzz" x "C:\Users\Admin\AppData\Local\Temp\41792834\41792834.txt" -o"C:\Users\Admin\AppData\Local\Temp\41792834">nul&&echo OK
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\41792834\41792834.exe
    "41792834.exe" -aoa -y -p"zzz" x "C:\Users\Admin\AppData\Local\Temp\41792834\41792834.txt" -o"C:\Users\Admin\AppData\Local\Temp\41792834"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe /c pushd "C:\Users\Admin\AppData\Local\Temp\41792834\"&if /i not "41792834"=="" for /L %i in (1,1,999) do (call set cd_=%cd^%&&if %i==1 (call echo "%cd_%"|find /i "41792834"&&cd..&&call rd "%cd_%" /s /q) else (cd..&&call rd "%cd_%"||(md "%temp%"&exit)))
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" call echo "%cd_%""
    3⤵
    PID:756
- - C:\Windows\system32\find.exe
    find /i "41792834"
    3⤵
    PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41792834\301.res

Filesize
143KB

MD5
00d875ca5b335fe026a1fa229225e831

SHA1
e8bd4b0348028a8b62810a21c524ae622b2162d9

SHA256
95392010aef51d20d7d528da9df2854a32668e016eb80a2db513049a349daf56

SHA512
9f4bc481b81824967896a09bfb0937f25dabf34ceaf70c7fd6c4412500cb27eb42d5e80eae67d844381d3facabe963a2466549ade265a3b2bc22d415c9cd0e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\302.res

Filesize
896B

MD5
9798b3423bc5b1f8b9835ed15b6d4e33

SHA1
99a5eaf92424d7f0bfa7617a7bfb878329c5fbbb

SHA256
da6bd7818a43bdbc93f9bbeaf585049100db60537fa4c17473da7ebd4b892333

SHA512
5907509e4b0a412296b155bb15885730ca0d27306807ed879b7dec27ba87351e67edae86fe9caa0ea1ab8ed56229eed9562c95256e03a59fd920b3523822a95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\41792834.exe

Filesize
280KB

MD5
502118ff624d268f12a6828f933bc135

SHA1
074fc97d9340f18a2ef6a93c43c4a0aafc6409d2

SHA256
e0eda103ef99f6796265098e35a80be368589e6ed2c5ff991fbd40a4fcaa69e7

SHA512
4a6e98781da0b82b95308aa40aff61316a8ed0102d578f9d7c93b69cf3df4a7e539ebb826baca835aaf38601375d936d85163f5565c56d50f3330744c3d468e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\41792834.exe

Filesize
280KB

MD5
502118ff624d268f12a6828f933bc135

SHA1
074fc97d9340f18a2ef6a93c43c4a0aafc6409d2

SHA256
e0eda103ef99f6796265098e35a80be368589e6ed2c5ff991fbd40a4fcaa69e7

SHA512
4a6e98781da0b82b95308aa40aff61316a8ed0102d578f9d7c93b69cf3df4a7e539ebb826baca835aaf38601375d936d85163f5565c56d50f3330744c3d468e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\41792834.txt

Filesize
3.3MB

MD5
bc1f72bff09e585840cbff4ff39516f9

SHA1
c4e8802129cb0c32a012f85370c0e1c968f29232

SHA256
c469f209633d1503bb11ac6264180e33a148485eb1c5c6df200bd068887cb7d8

SHA512
d84969cb1c8bb2e6fa4884e4b2cb6e55f7a368dfb2c18885a81ebb4ffea6300da55ea4ebcd814246d6ba899ecccd71a61eb05a897d0c76eb0743e27e35b0c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\41792834.txt

Filesize
3.3MB

MD5
bc1f72bff09e585840cbff4ff39516f9

SHA1
c4e8802129cb0c32a012f85370c0e1c968f29232

SHA256
c469f209633d1503bb11ac6264180e33a148485eb1c5c6df200bd068887cb7d8

SHA512
d84969cb1c8bb2e6fa4884e4b2cb6e55f7a368dfb2c18885a81ebb4ffea6300da55ea4ebcd814246d6ba899ecccd71a61eb05a897d0c76eb0743e27e35b0c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\7z.dll

Filesize
1.1MB

MD5
04e4f293970589ead1dc19fc8be60c92

SHA1
9ccf48bce8cd04b2bce5eb7b35e5e23b264ff70a

SHA256
6cd22f513ce36b4727bb6c353c58182c7cc8a14cbe3eefdca85c2a25906a0077

SHA512
c4cdbff5e295a516eab64433c16af3cef7ebec9d056ce8732b681fd37deaf389bc9655052ec3e06d14ca3353ebb547ef8ebd5bc78f8083b6d04eee2d9450f616

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\7z.exe

Filesize
283KB

MD5
77e556cdfdc5c592f5c46db4127c6f4c

SHA1
9289a79a81e008f349cb05cb851ae5eaef24b94a

SHA256
034eca579f68b44f8f41294d8c9dac96f032c57dee0877095da47913060dff84

SHA512
d2d83056bd4ca654bbf69fe17e1fcad19c3e813d0243e629a29f04b8e375dce278839c21fc18d5e06ff95b76deb574f8c09e50def0b52a81d65acdb69c0d6d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\7zSFXx64.txt

Filesize
178KB

MD5
985a68b49a86960ff3a73f7e7ef0e9e4

SHA1
1350797c745e41c37bfa049dbca4e8f7ea87d7c5

SHA256
64601657e69d46b705c164a0d177e27d99f2a0fa115d3cedaf0a4a34bb46542e

SHA512
98bf6f49b650ea8701aaa5b0734e8af3aee3233a74d9cd91a9ce4d68c43ae19c68b403eab51a291417da32bd4de7ae49f314d7ba904ac6cd003dc581bc3bf6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\7zSFXx86.txt

Filesize
119KB

MD5
03a28669d0303af2d3d37017006315fe

SHA1
910a5870ad785eb771487215ec1f7e5cd0f256e7

SHA256
65bc9a8c87aea87cbbafa05fdf356c733b695b7bc8de7074a9cebbf6856ed60a

SHA512
e0e47363d4d7b49f283975ffe2c086b64b47a74d63c04118d3b7dadd6d4c804aa7228330edce57e418ef0727327c434477a8d50e038b1cc0daed1893b8bcb897

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\7zx64.txt

Filesize
382KB

MD5
2b863e670948fe613e166dd959c8952c

SHA1
9794c9db1a83126920ee83c82a97d1807f4fa834

SHA256
d54832e040863e5fe565a3806e05f632dd39ebdbf2a13d6c5314c06b65e9a591

SHA512
30fa31e2b4419458650fa83ac76d1e83796f03c05c4f97544228825539da5550b500e62352557b5959b428042692584eb772bc57598988c0cbc22ef3862f5a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\DLLx64.exe

Filesize
9KB

MD5
fed9346e5e97555ae37cd295982f44b4

SHA1
6be413ecf1c6a0e8f5467f703857afda0073b462

SHA256
de8484dfec1d6dcab2e8ffedfac016c39f5c8b76ba803da7c61b600b18adf536

SHA512
208dc896f039cef667fd31509ca726582f28ed02d396c2f5b87fe3e907fdb99cfb4b65250dc0e9a1c17ff59ebc61cf3deae42b4e7e7eb2430d3485dd1f473b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\DLLx86.exe

Filesize
6KB

MD5
5ca8edac1df7c6282020911304b53433

SHA1
ea86c9e045b173da2a22b319e7eb3776163af9f3

SHA256
ea050e84e283555b3358c2a8d97f19a3dbe8730cba2f8835916f818a8dad906e

SHA512
509a7c615a1179b8b7e1fd83e08994d21a90191460825fdac632ce540d7c39ea5034c600cc68f4c5f7a857234d71ec6aa98dbeeab4eafcfe500644f378d844f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\PEx64.EXE

Filesize
1.0MB

MD5
bd25ce676241679dfb5c019646f63a1a

SHA1
e9fc638bf5ed51ea8274fa3d0ca764f375e94530

SHA256
145cc4d237ecb7ad79620ff842444c82b50912a5a84f2c944071c798a9127aee

SHA512
ccff8e909eeabc4636348cce3f008b7aad584f80ea42aa7e0c20d978c5d2dc9ebc5f5df1fb03d13e7d771424618bbc299df371447b4e1c9955ae4a39a0d4e850

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\RH.exe

Filesize
4.9MB

MD5
fb8b0825d1a5d6c248cb8f5811b21d18

SHA1
45ecba2da01bc88c2ba04eced621731a536df467

SHA256
a5214295fb05ff613dd8934022b208c138ae9b661fc6b7762d7df3935729b679

SHA512
c8e183f23b3a9e27d805a6451df1346e35506e28ade66a7dac1b01abf5022645269740be1d831eb2cc22e0230204652e51bdbe3f6c1e16b176bf4111adc92a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\UPX.exe

Filesize
356KB

MD5
0a493c3b30c4f095b68171621ca94fde

SHA1
747159a347c12d394e9576167c234d7db3d9ab0a

SHA256
ce0cdaa2e2d12763c7c7b0decc483020786eb28f25904ed63c06512a83938b69

SHA512
9c67511bde3eedfa0482bf28cdd5564e12cb3c770982ad26eaaa39f2c1f07e90d0f017c7155881f6af9394c75b3c8a9b9d625124ceaa64edc52f44a1a1955bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41792834\mpress.exe

Filesize
101KB

MD5
8b632bfc3fe653a510cba277c2d699d1

SHA1
d6a57aa17e5eb51297def9bac04e574c1e36d9c7

SHA256
2852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4

SHA512
b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587

Download Submit
memory/1244-65-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download
memory/1244-110-0x0000000000400000-0x0000000000C20000-memory.dmp

Filesize
8.1MB

Download
memory/1408-92-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download