Overview
overview
10Static
static
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
4ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
1Analysis
-
max time kernel
315s -
max time network
342s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
General
-
Target
infected dot net installer.exe
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 228 ._cache_infected dot net installer.exe 2352 Synaptics.exe 396 Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation infected dot net installer.exe -
Loads dropped DLL 5 IoCs
pid Process 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" infected dot net installer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance infected dot net installer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe 396 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 932 wrote to memory of 228 932 infected dot net installer.exe 76 PID 932 wrote to memory of 228 932 infected dot net installer.exe 76 PID 932 wrote to memory of 228 932 infected dot net installer.exe 76 PID 932 wrote to memory of 2352 932 infected dot net installer.exe 77 PID 932 wrote to memory of 2352 932 infected dot net installer.exe 77 PID 932 wrote to memory of 2352 932 infected dot net installer.exe 77 PID 228 wrote to memory of 396 228 ._cache_infected dot net installer.exe 78 PID 228 wrote to memory of 396 228 ._cache_infected dot net installer.exe 78 PID 228 wrote to memory of 396 228 ._cache_infected dot net installer.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe"C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\8d33db8c509f4aef3f5b14b58758\Setup.exeC:\8d33db8c509f4aef3f5b14b58758\\Setup.exe /x86 /x64 /web3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
PID:2352
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1512