Analysis

  • max time kernel
    42s
  • max time network
    90s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-01-2022 18:11

General

  • Target

    7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe

  • Size

    116KB

  • MD5

    b8ecec542a07067a193637269973c2e8

  • SHA1

    97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

  • SHA256

    fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

  • SHA512

    730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Roaming\D629.tmp.exe
      "C:\Users\Admin\AppData\Roaming\D629.tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:2580
    • C:\Users\Admin\AppData\Roaming\E8C8.tmp.exe
      "C:\Users\Admin\AppData\Roaming\E8C8.tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:3744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe" >> NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:312
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\D629.tmp.exe
    MD5

    446119332738133d3ecd2d00ebe5d0ec

    SHA1

    83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

    SHA256

    5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

    SHA512

    d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

  • C:\Users\Admin\AppData\Roaming\D629.tmp.exe
    MD5

    446119332738133d3ecd2d00ebe5d0ec

    SHA1

    83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

    SHA256

    5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

    SHA512

    d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

  • C:\Users\Admin\AppData\Roaming\E8C8.tmp.exe
    MD5

    4d75dea49f6bd60f725fae9c28cd0960

    SHA1

    39875c55b440554253b32d581e1c1e01bd50eb90

    SHA256

    f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

    SHA512

    fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5

  • C:\Users\Admin\AppData\Roaming\E8C8.tmp.exe
    MD5

    4d75dea49f6bd60f725fae9c28cd0960

    SHA1

    39875c55b440554253b32d581e1c1e01bd50eb90

    SHA256

    f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

    SHA512

    fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5