Overview

overview

10

Static

static

10

7482ef1acb...82.exe

windows7-x64

9

7482ef1acb...82.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7482ef1acb27564cbd55a257ba8058074eaa1559c3c708d32ef303f6a477b282.exe

  • Size

    122KB

  • MD5

    6c4205f82be1c7fdef73485523b85cba

  • SHA1

    e63b335dce9f56fccae4a061a1637b94d78889ef

  • SHA256

    7482ef1acb27564cbd55a257ba8058074eaa1559c3c708d32ef303f6a477b282

  • SHA512

    7a5e71f2bed094efe3c07ea5d812e5cabc29b853b8ee0282add6d58440f03d3fb36d272f70385b3929191d495db52c9e2319c94922bbae2ad11e0b59c926a0a2

  • SSDEEP

    1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q1pkdv5+I8K/XCKCGSqzVp:+nyiQSo1Iv5+ufC58/

Score
9/10
ransomwareupx

Malware Config

Signatures

  • Renames multiple (3749) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • UPX dump on OEP (original entry point) 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7482ef1acb27564cbd55a257ba8058074eaa1559c3c708d32ef303f6a477b282.exe
    "C:\Users\Admin\AppData\Local\Temp\7482ef1acb27564cbd55a257ba8058074eaa1559c3c708d32ef303f6a477b282.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\_createdump.exe
      "_createdump.exe"
      2⤵
      • Executes dropped EXE
      PID:2072
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp
    Filesize

    66KB

    MD5

    0c2a8472c3d5d6a2e4801d4fddacc8ed

    SHA1

    b5ccfd947da2f045b4b803cd8099489cd0e80381

    SHA256

    240b4fa753c89adae1da9f213df6205f1550048db0c827728e5c14f62896342e

    SHA512

    7c3d6321014e9916fe059ef0d0eb6567bf41f8735506c1130056a6082bc4794a6fe6ae99d15c4eb5503858f6bc4e1ab31864dfb8e68e2c1491de964f71d46d15

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_createdump.exe
    Filesize

    56KB

    MD5

    a05b36f6129223951282f9df776761b1

    SHA1

    ec87fa41a670cffa5d77f64366fe109278661f2c

    SHA256

    5113e7ae92f3a7aebc7f8e363209866d4d743b06a26c67e0886979a56fd3a10d

    SHA512

    38b588b28057994305a3abc37d98770ab7ff905cba6da35e91b2936b99823955fc91b90a23174d53337dd62e320b9bac066b76734bf657de9fad6d37071c70da

    Download Submit
  • \Windows\SysWOW64\Zombie.exe
    Filesize

    66KB

    MD5

    0e6c53169898c8e861fc73ba8be45a4b

    SHA1

    1046b149e7b5f457223540c61d0d0fcfa3ede1c3

    SHA256

    3ef8f9bd19e82309db29f8d4b7f239fcf14a8ea410d1558a53d637141b74ab5f

    SHA512

    fdaa58e47c535db24a6e50f032c7d286a7a07c3d3a64b8f20457e7d1e52760e0a6b1286dfc9d6fcfae73b5b956c66cefd015f1ef7a12e0e1e8f397dee1c3323f

    Download Submit
  • memory/2880-0-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2880-14-0x00000000003F0000-0x00000000003FB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2880-22-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download