Overview

overview

10

Static

static

59ebbdf21f...f0.exe

windows7-x64

10

59ebbdf21f...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59ebbdf21f80732ee51d8c038fca9306470341d1260751b05626a72a9513a1f0.exe

  • Size

    1.6MB

  • MD5

    8ba75de55191a7b284c87450d7ec168e

  • SHA1

    e8c1481d0a26713f92ef785b8fd998fdd87198c6

  • SHA256

    59ebbdf21f80732ee51d8c038fca9306470341d1260751b05626a72a9513a1f0

  • SHA512

    1af991aa7a4ec227ab38df95a0f8a0ef1ab6cd84dd7100718de088e00cd8f4e3d545d3dd4ee40e619f246edf7ec23e6c44b195e57242536c11e22aff6799731d

Score
10/10
persistencesuricataupx

Malware Config

Signatures

  • suricata: ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon

    suricata: ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon

    suricata
  • Executes dropped EXE 3 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59ebbdf21f80732ee51d8c038fca9306470341d1260751b05626a72a9513a1f0.exe
    "C:\Users\Admin\AppData\Local\Temp\59ebbdf21f80732ee51d8c038fca9306470341d1260751b05626a72a9513a1f0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
      "C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
          "C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
            C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
            5⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
    Filesize

    1.5MB

    MD5

    543049a58fe847362b15f8e1aee75721

    SHA1

    b22a1f4731c3123ed9af1d3979930775918a462e

    SHA256

    99afe2ac82bc3efc48cd70ec9acab914989e6e60007400629d3001799ccbb5cf

    SHA512

    fdf84f0738e2ec1503ffc557f07dea550ee48647c51a70c6bad2eb4f5e4514b3681a06511a88451f58e2942f084aa3bef79d9cb13b1b6d37af16ec5a35f6e852

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
    Filesize

    1.5MB

    MD5

    543049a58fe847362b15f8e1aee75721

    SHA1

    b22a1f4731c3123ed9af1d3979930775918a462e

    SHA256

    99afe2ac82bc3efc48cd70ec9acab914989e6e60007400629d3001799ccbb5cf

    SHA512

    fdf84f0738e2ec1503ffc557f07dea550ee48647c51a70c6bad2eb4f5e4514b3681a06511a88451f58e2942f084aa3bef79d9cb13b1b6d37af16ec5a35f6e852

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
    Filesize

    1.5MB

    MD5

    543049a58fe847362b15f8e1aee75721

    SHA1

    b22a1f4731c3123ed9af1d3979930775918a462e

    SHA256

    99afe2ac82bc3efc48cd70ec9acab914989e6e60007400629d3001799ccbb5cf

    SHA512

    fdf84f0738e2ec1503ffc557f07dea550ee48647c51a70c6bad2eb4f5e4514b3681a06511a88451f58e2942f084aa3bef79d9cb13b1b6d37af16ec5a35f6e852

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4xmlu\o67oo.exe
    Filesize

    1.5MB

    MD5

    543049a58fe847362b15f8e1aee75721

    SHA1

    b22a1f4731c3123ed9af1d3979930775918a462e

    SHA256

    99afe2ac82bc3efc48cd70ec9acab914989e6e60007400629d3001799ccbb5cf

    SHA512

    fdf84f0738e2ec1503ffc557f07dea550ee48647c51a70c6bad2eb4f5e4514b3681a06511a88451f58e2942f084aa3bef79d9cb13b1b6d37af16ec5a35f6e852

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4xmlu\x
    Filesize

    762KB

    MD5

    e0737d3e97b528ff480a4016fb915511

    SHA1

    e3f0ea67cb3019e1663f5462b21009f4e2bc3bd1

    SHA256

    6a25b4d561b71867ad482557278c780501acf8200a72926f27b99cad8cf4e9ed

    SHA512

    a37f5864d452c31820e9a08582e0fcc67c45cf4c74c0a96b256047cbc4b4b7bbaafb1fe7ec5c9211020d98cc4abfa59c75d0fe4344bcbd2f90b8c90abd4b273e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZWcCUkGLY8aBx\ZWcCUkGLY8aBx.dat
    Filesize

    2B

    MD5

    93e00066d099c0485cfffa1359246d26

    SHA1

    bc69a773f37b2f2071e25f755a66d47b871e5d98

    SHA256

    3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

    SHA512

    d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZWcCUkGLY8aBx\ZWcCUkGLY8aBx.nfo
    Filesize

    3KB

    MD5

    0097ffd3c0d7fee5deb04c5503189995

    SHA1

    92a5fc2e5e49b721ff98c6869f164c167fd78e07

    SHA256

    b7b9c173d28df1e581f50c2eb321323afdd8bba308ae01fd23402e15b31941f3

    SHA512

    f38ee1af1c752a0c87633f87673818d822d710dd1ed8b6020951c8df59272d8401228d68973f507a193516b1fcc0f5e28bd9bfb7c3fd5c73c7a3f7dae5d3bcda

    Download Submit

  • memory/1028-155-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1028-148-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1028-143-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1028-146-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1028-145-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4896-164-0x0000000001611000-0x00000000016C4000-memory.dmp

    Filesize

    716KB

    Download

  • memory/4896-163-0x00000000016C4000-0x000000000171C000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4896-150-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-151-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-152-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-159-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-156-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-165-0x00000000016C4000-0x000000000171C000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4896-157-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4896-166-0x00000000016C4000-0x000000000171C000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4896-160-0x0000000001610000-0x000000000171E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/5000-140-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5000-158-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5000-141-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5000-139-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5000-138-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5000-137-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download