27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28/06/2023, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
Size

3.1MB
MD5

69252776c1d7edf4fb7bc0dd19f08c4c
SHA1

0df8610d999452ea2e1dadeef86dc7c38fd301c0
SHA256

27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713
SHA512

e5d98acf152b7eaf831dad278718bb624a309a7dc95702caaf76c9334a5fccad5c2e8febd3fce3dd4d6372495bf0135d045834ea6ace1104895c879290add2f7
SSDEEP

98304:uaki/AMWObiEsndKt/cx8QNUor1DNB3a9gpOf:Rj0kB6NNB3a9L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1416	vistarun.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileEncyptionDriver.sys	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\UFileSetup.DAT	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
File opened for modification	C:\Program Files (x86)\UFileEncyption\vistarun.exe	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1416	2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe	27
PID 2040 wrote to memory of 1416	2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe	27
PID 2040 wrote to memory of 1416	2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe	27
PID 2040 wrote to memory of 1416	2040	27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe	27

C:\Users\Admin\AppData\Local\Temp\27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe
"C:\Users\Admin\AppData\Local\Temp\27ab3988264914d0677e2d09590632e7ff72375de9ed96a5d0d5302e88e25713.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\UFileEncyption\vistarun.exe
  "C:\Program Files (x86)\UFileEncyption\vistarun.exe" C:\Program Files (x86)\UFileEncyption\UFileEncyption.exe
  2⤵
  - Executes dropped EXE
  PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
238c42c8b7a701e7c9f6a642e5ba0c87

SHA1
0a9cdd2d0368bc92875bb5141c4587988ca6f379

SHA256
4f3f6752e4b73399d16f16dadf5fbcf83a323ec214fa6bb43a4b43e1726e289b

SHA512
9399502251fe78e12a7fa59ec2eb14e4d727d74d3b6b627cd5951786a194a74e930155cb5f0a9d51e2fb0fa53e5e88ad99595359289343124185865dc144857b

Download Submit
C:\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
238c42c8b7a701e7c9f6a642e5ba0c87

SHA1
0a9cdd2d0368bc92875bb5141c4587988ca6f379

SHA256
4f3f6752e4b73399d16f16dadf5fbcf83a323ec214fa6bb43a4b43e1726e289b

SHA512
9399502251fe78e12a7fa59ec2eb14e4d727d74d3b6b627cd5951786a194a74e930155cb5f0a9d51e2fb0fa53e5e88ad99595359289343124185865dc144857b

Download Submit
\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
238c42c8b7a701e7c9f6a642e5ba0c87

SHA1
0a9cdd2d0368bc92875bb5141c4587988ca6f379

SHA256
4f3f6752e4b73399d16f16dadf5fbcf83a323ec214fa6bb43a4b43e1726e289b

SHA512
9399502251fe78e12a7fa59ec2eb14e4d727d74d3b6b627cd5951786a194a74e930155cb5f0a9d51e2fb0fa53e5e88ad99595359289343124185865dc144857b

Download Submit
\Program Files (x86)\UFileEncyption\vistarun.exe

Filesize
104KB

MD5
238c42c8b7a701e7c9f6a642e5ba0c87

SHA1
0a9cdd2d0368bc92875bb5141c4587988ca6f379

SHA256
4f3f6752e4b73399d16f16dadf5fbcf83a323ec214fa6bb43a4b43e1726e289b

SHA512
9399502251fe78e12a7fa59ec2eb14e4d727d74d3b6b627cd5951786a194a74e930155cb5f0a9d51e2fb0fa53e5e88ad99595359289343124185865dc144857b

Download Submit