Overview

overview

8

Static

static

52f790d627...41.exe

windows7_x64

8

52f790d627...41.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    153s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe

  • Size

    118KB

  • MD5

    9fea48280651d7daede8ff94fddcc39c

  • SHA1

    ec94b5bc9bdd7e910b7c49992c52daf69f387891

  • SHA256

    52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41

  • SHA512

    02d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298

Score
8/10
evasion

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe
    "C:\Users\Admin\AppData\Local\Temp\52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
      "C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Internet Explorer.exe" "Internet Explorer.exe" ENABLE
        3⤵
          PID:3788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
      Filesize

      118KB

      MD5

      9fea48280651d7daede8ff94fddcc39c

      SHA1

      ec94b5bc9bdd7e910b7c49992c52daf69f387891

      SHA256

      52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41

      SHA512

      02d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
      Filesize

      118KB

      MD5

      9fea48280651d7daede8ff94fddcc39c

      SHA1

      ec94b5bc9bdd7e910b7c49992c52daf69f387891

      SHA256

      52f790d6273d95377f9794ce4e434d6b25cb70eca97f68585eb7f11177be0e41

      SHA512

      02d19421ed966cece01d187ab5e8d4a5fcb17b4d4042457c668d40a958e2053bd70525661639da3fb3b02352586bd78edb29f0774653040d96051d0055899298

      Download Submit
    • memory/1572-130-0x00000000748F0000-0x0000000074EA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2904-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2904-135-0x00000000748F0000-0x0000000074EA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3788-134-0x0000000000000000-mapping.dmp
      Download