Overview

overview

9

Static

static

7

Ransomware...ot.zip

windows7-x64

1

Ransomware...ot.zip

windows10-2004-x64

1

1001a8c7f3...87.exe

windows7-x64

1001a8c7f3...87.exe

windows10-2004-x64

out.exe

windows7-x64

out.exe

windows10-2004-x64

Analysis

  • max time kernel
    11s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2023 20:19

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score
9/10
bootkitpersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (124) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
    "C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\15989964\protect.exe
      "C:\Users\Admin\15989964\protect.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2688
    • C:\Users\Admin\15989964\assembler.exe
      "C:\Users\Admin\15989964\assembler.exe" -f bin "C:\Users\Admin\15989964\boot.asm" -o "C:\Users\Admin\15989964\boot.bin"
      2⤵
      • Executes dropped EXE
      PID:2804
    • C:\Users\Admin\15989964\overwrite.exe
      "C:\Users\Admin\15989964\overwrite.exe" "C:\Users\Admin\15989964\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2812
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2020
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\15989964\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • C:\Users\Admin\15989964\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • C:\Users\Admin\15989964\boot.asm
        Filesize

        825B

        MD5

        def1219cfb1c0a899e5c4ea32fe29f70

        SHA1

        88aedde59832576480dfc7cd3ee6f54a132588a8

        SHA256

        91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

        SHA512

        1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

        Download Submit

      • C:\Users\Admin\15989964\boot.bin
        Filesize

        512B

        MD5

        90053233e561c8bf7a7b14eda0fa0e84

        SHA1

        16a7138387f7a3366b7da350c598f71de3e1cde2

        SHA256

        a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

        SHA512

        63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

        Download Submit

      • C:\Users\Admin\15989964\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • C:\Users\Admin\15989964\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • C:\Users\Admin\15989964\protect.exe
        Filesize

        837KB

        MD5

        fd414666a5b2122c3d9e3e380cf225ed

        SHA1

        de139747b42a807efa8a2dcc1a8304f9a29b862d

        SHA256

        e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

        SHA512

        9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

        Download Submit

      • C:\Users\Admin\15989964\protect.exe
        Filesize

        837KB

        MD5

        fd414666a5b2122c3d9e3e380cf225ed

        SHA1

        de139747b42a807efa8a2dcc1a8304f9a29b862d

        SHA256

        e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

        SHA512

        9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

        Download Submit

      • \Users\Admin\15989964\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • \Users\Admin\15989964\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • \Users\Admin\15989964\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • \Users\Admin\15989964\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • \Users\Admin\15989964\protect.exe
        Filesize

        837KB

        MD5

        fd414666a5b2122c3d9e3e380cf225ed

        SHA1

        de139747b42a807efa8a2dcc1a8304f9a29b862d

        SHA256

        e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

        SHA512

        9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

        Download Submit

      • memory/860-0-0x0000000000080000-0x000000000030E000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/860-173-0x0000000000080000-0x000000000030E000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2020-174-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2260-175-0x00000000026E0000-0x00000000026E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2804-38-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2812-48-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download