Overview

overview

10

Static

static

f361afd4dd...31.exe

windows7_x64

10

f361afd4dd...31.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    48s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe

  • Size

    201KB

  • MD5

    3f5da05d62a70eb1212db39d5d6cf45e

  • SHA1

    369b0ba084ba65268d56019653d8edd37c4838f1

  • SHA256

    f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

  • SHA512

    7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2304
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3332
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
        1⤵
          PID:3132
        • C:\Windows\system32\taskhostw.exe
          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
          1⤵
            PID:2404
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2284
            • C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
              "C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe"
              1⤵
              • Checks computer location settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3348
              • C:\Users\Admin\AppData\Local\Temp\CauYDIa.exe
                "C:\Users\Admin\AppData\Local\Temp\CauYDIa.exe" 8 LAN
                2⤵
                • Executes dropped EXE
                PID:4772

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\CauYDIa.exe
              MD5

              3f5da05d62a70eb1212db39d5d6cf45e

              SHA1

              369b0ba084ba65268d56019653d8edd37c4838f1

              SHA256

              f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

              SHA512

              7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CauYDIa.exe
              MD5

              3f5da05d62a70eb1212db39d5d6cf45e

              SHA1

              369b0ba084ba65268d56019653d8edd37c4838f1

              SHA256

              f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

              SHA512

              7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

              Download Submit

            • memory/2284-132-0x00007FF760970000-0x00007FF760AE4000-memory.dmp

              Filesize

              1.5MB

              Download