Overview

overview

10

Static

static

8abebde631...e7.exe

windows7_x64

10

8abebde631...e7.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    148s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8abebde631005ae15aba91eb8f36fbe7.exe

  • Size

    983KB

  • MD5

    8abebde631005ae15aba91eb8f36fbe7

  • SHA1

    d4ac00d9aee072b6d1499e730cf9bcb27ad957ad

  • SHA256

    2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef

  • SHA512

    7091584d35154b0711e4a8b6c788cc5db5ad0e6444e5cda5a16ad41a00cf333413fc8ac5b93e84b9b2e5e9350ca89837c6f69b5838ade967b403bd24322ab3fc

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
    "C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"
      2⤵
        PID:228
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:920
      • C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
        "C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
        2⤵
          PID:3088
          • C:\Windows\SysWOW64\Taskmgr.exe
            "C:\Windows\System32\Taskmgr.exe"
            3⤵
              PID:4540
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1740
            2⤵
            • Program crash
            PID:3248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1816 -ip 1816
          1⤵
            PID:888

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp
            Filesize

            1KB

            MD5

            70bf25bd1e9619c382b410c940934c05

            SHA1

            dcd8d134d78824d738a4981d45cd47a02a930097

            SHA256

            749fc55fd8c71b514d713c2e54781d3339add65a485d647bdedb0af1d51fce98

            SHA512

            48e6b7c964570831998ff9c5adeec0f8d5036e77fa4f4f4b941d27438936c5935f4e3f387771a51597b6c020b80b451a835285a38d043012a62c1764ab005b89

            Download Submit

          • memory/228-138-0x0000000002B10000-0x0000000002B46000-memory.dmp

            Filesize

            216KB

            Download

          • memory/228-167-0x0000000006450000-0x000000000646E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/228-160-0x0000000005620000-0x0000000005686000-memory.dmp

            Filesize

            408KB

            Download

          • memory/228-142-0x00000000056F0000-0x0000000005D18000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/228-157-0x0000000005480000-0x00000000054A2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1816-132-0x0000000005360000-0x00000000053F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1816-133-0x0000000005400000-0x000000000540A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1816-134-0x0000000008FE0000-0x000000000907C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/1816-135-0x000000000B7A0000-0x000000000B806000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1816-130-0x00000000008A0000-0x000000000099C000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/1816-131-0x0000000005870000-0x0000000005E14000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3088-144-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-145-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-146-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-150-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-152-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-149-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-148-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-154-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-155-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-147-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-159-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-163-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-165-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-162-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/3088-141-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download