Analysis
-
max time kernel
136s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 13:17
Static task
static1
Behavioral task
behavioral1
Sample
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe
Resource
win7-20220223-en
General
-
Target
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe
-
Size
4.2MB
-
MD5
d59004727742eb8ba309368611e48019
-
SHA1
55b2dce59cf019f819a980a4a142383b8a537a06
-
SHA256
57e10092a0245e6d4d2c2c34100593f38cc6060aef482ca83e676b8715a114af
-
SHA512
dd0c3b1893ef3b7cb0f9b4e565a8839b072b69ac40137622275885616ab25706a4b3effa6696c94ff9a41ee6cbd7fab5abbaa2ed97a7798ca04bb184be9c52f3
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 39 4136 WScript.exe 48 4136 WScript.exe 61 4136 WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
winrar-x64-591th.exepid process 444 winrar-x64-591th.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
winrar-x64-591th.exepid process 444 winrar-x64-591th.exe 444 winrar-x64-591th.exe 444 winrar-x64-591th.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exeWScript.exedescription pid process target process PID 4360 wrote to memory of 444 4360 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe winrar-x64-591th.exe PID 4360 wrote to memory of 444 4360 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe winrar-x64-591th.exe PID 4360 wrote to memory of 4136 4360 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe WScript.exe PID 4360 wrote to memory of 4136 4360 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe WScript.exe PID 4136 wrote to memory of 4660 4136 WScript.exe schtasks.exe PID 4136 wrote to memory of 4660 4136 WScript.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe"C:\Users\Admin\AppData\Local\Temp\57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Activator_cheker.JS"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Activator_cheker.JS3⤵
- Creates scheduled task(s)
PID:4660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Activator_cheker.JSMD5
01aa3142b7853a1bf64c3b4527473dc6
SHA1b72242e7af597ebed02174f84a4c3cdd20b397a2
SHA256623ed43a12af43c757ab5b6f2699dcb5a766022a6855a87e2597d4842b8b0b0e
SHA5125b941ce3b7a13666b079fe4e90bdb413a93cefa59a4260778c2e133d61e90859301d94a26d705d00c61528aac3baf90efe9aaa89318a0970be520be12be861fb
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a