Overview

overview

7

Static

static

data64_6.exe

windows7_x64

7

data64_6.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    107s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data64_6.exe

  • Size

    1.9MB

  • MD5

    87953bdf18ba88061cf28ad17116b56f

  • SHA1

    bc04b30d0e7ca0fc34b1d507ab4b991e0cc5dbc6

  • SHA256

    9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f

  • SHA512

    19d8520c62da97a0a793c1f9eb17ae5865ea3d6d9e4734ac5e4069c864f52fccf06d5961c136095c73e7ee6c3ce1e9ae0038f32e8941f5aa2599327111b386c3

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data64_6.exe
    "C:\Users\Admin\AppData\Local\Temp\data64_6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K
      2⤵
      • Loads dropped DLL
      PID:312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\V8NgH.K
    Filesize

    662.2MB

    MD5

    b623c4bb3d8823fd82ab0886bad00de4

    SHA1

    a24889592c527b8fd7770946b04ecc25e7c7760c

    SHA256

    5b2d0a633906196dbc624285e898f97e3da81d4c4b32133902287a092ef6bec4

    SHA512

    fd0ebe381cbcaa5df75ccedf79e6376029d4894bd1979e6a38679c6f60c0eea76aa547485c063d5297f7265af78c86b5b7a9d1d1b7675ad471705290899c0005

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\v8NgH.K
    Filesize

    631.6MB

    MD5

    4d6c67f95e76ae1ad168e0382563cf69

    SHA1

    c17bba639fdedf07d4d63d4f4b89850cb383f0ca

    SHA256

    9e49a5cc7b33076fbb649854dbb2f435e682356a6dfe1e8f00e8400270a61edd

    SHA512

    10405cdc984a6d65ebe2143d4cb6da6757a643c67b8ddd1d6c115c1a3cc5ae0d5314a61c730b40a4dd43f111024d9ba9d5e6f6f0667bd57adc31251a5cc1b1ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\v8NgH.K
    Filesize

    641.8MB

    MD5

    267c3991eebda1bf446cba000e23a755

    SHA1

    3fb8de6dccb22cbd97243fdad1cab5ce1cc9db8c

    SHA256

    2e3307bbb7a13c10c43e23d380a177fea2dcf7da12e1b7f950dc82cb7f0d9edc

    SHA512

    29b12bd7f360f7030763a3572d1090007ae100ff2e3ec6dbe2705023ee6528388a21d0472e4f452d69470f89a489dc61eeedd26d5714ed7dd4051cd82ab8447f

    Download Submit
  • memory/312-130-0x0000000000000000-mapping.dmp
    Download
  • memory/312-134-0x0000000002E60000-0x0000000003E60000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/312-135-0x000000002DD80000-0x000000002DE5F000-memory.dmp
    Filesize

    892KB

    Download
  • memory/312-136-0x000000002DF20000-0x000000002DFDB000-memory.dmp
    Filesize

    748KB

    Download
  • memory/312-137-0x000000002DFE0000-0x000000002E094000-memory.dmp
    Filesize

    720KB

    Download
  • memory/312-138-0x000000002E0A0000-0x000000002E140000-memory.dmp
    Filesize

    640KB

    Download