Overview

overview

9

Static

static

5ef82b40d2...ac.exe

windows7_x64

9

5ef82b40d2...ac.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    156s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe

  • Size

    140KB

  • MD5

    8f3b91fab3b43f4ab87c0b0a313a21c5

  • SHA1

    4a7108276f093be0336f7f457f5973b86a0ad587

  • SHA256

    5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac

  • SHA512

    15c369e28128f796de46d7efa88c50ff32ebc58beaa3c62d935c9f2f690ffbcf17381d894c95653947c895a54bc849c995d282e1ed32d4a703c3d9333041337f

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe
    "C:\Users\Admin\AppData\Local\Temp\5ef82b40d2f8ba80a91f4c518a457ad003cf4c44343696f4af2396626b8fcaac.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VILDCWsxo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC44.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4284
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
        PID:1560
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "{path}"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC44.tmp
      Filesize

      1KB

      MD5

      0989fc445c80f68e635fb54f46045a5c

      SHA1

      5b37b8357490aba98bcb14104227e55c1ebef10f

      SHA256

      d2a77495d54e3199ae3dd7d7e09f2cd0a57a74105c4ef83ad660d29ac2a041bd

      SHA512

      4ff1bfe3e5e48079bce32cdf2f071fdd435cac1746f9c0ff92a6d93bcc35960cb0c09cdf14cc4d22b7f0816a30c8ef6804e6c5f3ee173e7ae67deb36c8495a6b

      Download Submit
    • memory/1176-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1176-139-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1312-130-0x0000000000130000-0x000000000015A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1312-131-0x0000000005130000-0x00000000056D4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1312-132-0x0000000004B80000-0x0000000004C12000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1312-133-0x0000000004B10000-0x0000000004B1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-134-0x00000000071C0000-0x000000000725C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1560-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4284-135-0x0000000000000000-mapping.dmp
      Download