Overview

overview

10

Static

static

10

Confirm_Cheque.exe

windows7_x64

3

Confirm_Cheque.exe

windows10-2004_x64

4

Analysis

  • max time kernel
    156s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08/02/2022, 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirm_Cheque.exe

  • Size

    376KB

  • MD5

    6acbe94f31ef95152e956a0b6e81c6b7

  • SHA1

    17f42b347f265d8bc8047df7ae4140e9c28792e0

  • SHA256

    b9a493df37ecf4be7f92c1da6d1422ffa38490b5fe336424f30bf095c4073d51

  • SHA512

    3ca582c20bdba7eb455be07257650840d13ec9fd06f80c35f8982b09a04fd184b84ff9b9cc60f8d04f921bc944e5c90f3dc541e61d87805cb0e6b08e5fa3b2cc

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Confirm_Cheque.exe
    "C:\Users\Admin\AppData\Local\Temp\Confirm_Cheque.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:2032
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:1912
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2700

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1912-138-0x00000211C6180000-0x00000211C6190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1912-139-0x00000211C8550000-0x00000211C8554000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2104-152-0x00000228629A0000-0x00000228629A4000-memory.dmp

      Filesize

      16KB

      Download