Overview

overview

10

Static

static

2a97228a72...12.exe

windows7_x64

10

2a97228a72...12.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    182s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe

  • Size

    193KB

  • MD5

    cfb761465693bd4511f038d8e468e62e

  • SHA1

    c8d64b3d2208a3cf40f4d9c182c9829beaa1eb86

  • SHA256

    2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912

  • SHA512

    2622751f9f5ab89287a1d88c9f027a7117549fcd0280f104a598c7953713d32e6ce5adfdd26abec709e1c848b8bc9f50e5226185721a22d2b3573d2d0264d36c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe
    "C:\Users\Admin\AppData\Local\Temp\2a97228a72f59f4a7095efcadf5adf6d2f6365e094b7c3de34348ab38a3e9912.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe
      "C:\Users\Admin\AppData\Local\Temp\asvyDmo.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
          PID:1144
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "samss" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "samss" /y
          3⤵
            PID:4012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads