Overview

overview

10

Static

static

air way bill.exe

windows7_x64

10

air way bill.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    air way bill.exe

  • Size

    861KB

  • MD5

    c9e0dc9c74c3782c0319ed1ce090287d

  • SHA1

    9fabc323f888b25b7005d2f793ac941c9091f0f3

  • SHA256

    b2169a0b14394b89cad7d3d4092b1a3e940c4504f9e7d982ebbcfd0b8c603530

  • SHA512

    8d13fa2d64d7a5fcb6e57ec014b18e469092ab122a6850dffbe37afc7d752f5c80a50b4cfa171194cf1e96614c0c9c3de50978c9a26f50805b5a016c436180d5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
    "C:\Users\Admin\AppData\Local\Temp\air way bill.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJcljmyFlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DC4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3368
    • C:\Users\Admin\AppData\Local\Temp\air way bill.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\air way bill.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:64
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\air way bill.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\air way bill.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3DC4.tmp
    Filesize

    1KB

    MD5

    7068756774f92259a6f4d07c12e869bb

    SHA1

    7ff512fb7e34b959ab00a67b556e4e0bf57ced45

    SHA256

    a8efebff223b9bcd7fe0a197eb598df5db6d673e9a420ac030bd3a5b55e913f3

    SHA512

    eb4b667a3223514c779f8f38c14cfce8c6520fdd359ab23f1e224891c3ddb2f6076408254125cc88c495ffa2ee6047f299e2fd73ead3fced2a0a87ef78effe19

    Download Submit

  • memory/64-140-0x0000000000000000-mapping.dmp

    Download

  • memory/2068-131-0x0000000008430000-0x00000000089D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2068-132-0x0000000007F20000-0x0000000007FB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2068-133-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2068-134-0x0000000008220000-0x00000000082BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2068-130-0x0000000000FD0000-0x00000000010AE000-memory.dmp

    Filesize

    888KB

    Download

  • memory/3368-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4340-145-0x0000000005FF0000-0x0000000006012000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4340-142-0x0000000000000000-mapping.dmp

    Download

  • memory/4340-143-0x0000000005210000-0x0000000005246000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4340-144-0x0000000005900000-0x0000000005F28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4340-146-0x00000000060E0000-0x0000000006146000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4340-147-0x0000000005580000-0x000000000559E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4340-148-0x0000000007E20000-0x000000000849A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4340-149-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4340-150-0x0000000007840000-0x00000000078D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4340-151-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4624-138-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/4624-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4624-139-0x00000000051B0000-0x0000000005216000-memory.dmp

    Filesize

    408KB

    Download