Overview

overview

10

Static

static

5

3ddf1da783...66.exe

windows7_x64

10

3ddf1da783...66.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe

  • Size

    1.1MB

  • MD5

    67602186447c604718f329e4a75efa30

  • SHA1

    da92fac48b831c782fe13704c444518dfab9f43f

  • SHA256

    3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566

  • SHA512

    99bc50931bfd4bedacdef49ed52d3270327d6314e661bafeac4c7099f4a95f1c1c555726769898876fafe0fa1c3303797b1a09604bead0795f297c75ff372590

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 21 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe
    "C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\plGbK61.vbs
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\plGbK61.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\ProgramData\plGbK6.exe
          "C:\ProgramData\plGbK6.exe" C:\ProgramData\plGbK6.au3
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4952
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SYSTEM32\explorer.exe
              6⤵
              • Drops file in System32 directory
              PID:4404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 804
                7⤵
                • Program crash
                PID:3440
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\PROGRA~3\plGbK6.vbs
            5⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3772
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\plGbK6.vbs"
              6⤵
              • Adds Run key to start application
              PID:4288
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4404 -ip 4404
    1⤵
      PID:5012

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~3\plGbK6.folder
      Filesize

      33B

      MD5

      33a6417430acf3de0d63ce51ea379446

      SHA1

      1edd015375aafbcfb019fbbff2e5f155fdc56bd0

      SHA256

      4fe93a90b2deab9e438b21127815cefebb8c3686c301b0cb110eb8ac18ec403a

      SHA512

      4f1f28fb96463b82403a43cb559b3a8a27d617864995adeb74b34f2d2856e5a9c11c1f562b28a867859cf7f59bf2b303a6434f27474e8d5e3fb9d3b8acb2faa3

      Download Submit

    • C:\PROGRA~3\plGbK6.path
      Filesize

      102B

      MD5

      96a5701b8802017f8eb5c0b12f2d6648

      SHA1

      bf2674795d2adaf68b4427ea31c06ea8c28c1341

      SHA256

      080979ee8e1989d94b3da1442ae87c25d9ce888b7358daa5a7fc6ba3db24c72b

      SHA512

      924ad1f07b399f01b7268b01b05d2c33b6087551172f39f7d3e381395e8b7a8036774949076cd4109f3e79a7a72c9bdd137eea38b6695d6a47a2dbe3c9546468

      Download Submit

    • C:\PROGRA~3\plGbK6.vbs
      Filesize

      648B

      MD5

      ee5c36bd87008356db08a36bb6657602

      SHA1

      874c97cce3c010a24e3b8817c34c70c04668b42d

      SHA256

      044ae0c0d26bdaa388ae02cf80c945a7ec542aeb34b0de046f2e1590ff530585

      SHA512

      f0169f74b93f2841fe146b1dedc471606511b3bebcd5c4498270cb7cebdb5e68fc5bcf7dc5036bd18ae3b4bea094fcebe9c5b180b9f58384123ddc61ecd2b370

      Download Submit

    • C:\ProgramData\plGbK6
      Filesize

      34KB

      MD5

      f22becbde3aa82e56d20a475a7122670

      SHA1

      f8eb33dd6cc868176048ee552f16e893c6269649

      SHA256

      036181c87137ebebeb51d1462e615cf21c5b8bd75354dea855c35915ab080a7a

      SHA512

      739c008fc414edb56440796235b78799468b1791592600028ea591345cc4245ba35a67452cd54fb5c40e423c9a22a0280ce194755412a905713737c6ada7b4f9

      Download Submit

    • C:\ProgramData\plGbK6.au3
      Filesize

      83KB

      MD5

      d7ae10e0c6e165746d5b6cd960e11835

      SHA1

      9011a7efcccad994025cc49a6d33ea8be3f06177

      SHA256

      7fbb4f71146b85919af9166225cd8d87b314bb867b63ab4a0a785d5be8e71dbe

      SHA512

      e26f2a1b24e963d0129bca6de7b98345923121f19227abb7d3f4998f8fd50bf96d96c4264a50cd52f721b0639af79167704d2b4b905e12b969108cad15952f27

      Download Submit

    • C:\ProgramData\plGbK6.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\ProgramData\plGbK6.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\ProgramData\plGbK61.vbs
      Filesize

      102B

      MD5

      cda398717513da50830b084697723e1d

      SHA1

      fe120f38ddce40e9e5dc7a680df87557337ab948

      SHA256

      3252524e7063782846866933b9bb7f30d24c101279905e8cd78a15348f2a4422

      SHA512

      3dfbf16256cc43df34c2c1df1ef1854c77751abe8dec0795fb80b582c8f8832014ba878af30bc986451f5259667f17bd768184e961ac1c924dd1bf701fd2338e

      Download Submit

    • memory/1996-144-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1996-146-0x0000000000400000-0x000000000040A228-memory.dmp

      Filesize

      40KB

      Download

    • memory/1996-140-0x0000000000000000-mapping.dmp

      Download

    • memory/1996-141-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3772-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4288-148-0x0000000000000000-mapping.dmp

      Download

    • memory/4404-145-0x0000000000000000-mapping.dmp

      Download

    • memory/4404-149-0x0000000000F70000-0x00000000013A3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4556-130-0x0000000000000000-mapping.dmp

      Download

    • memory/4908-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4952-134-0x0000000000000000-mapping.dmp

      Download