Overview

overview

9

Static

static

8

bdb0b97b0c...0c.exe

windows7-x64

9

bdb0b97b0c...0c.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    95s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2022 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdb0b97b0c573b1f76593bd6b26908624791b9eff0ed8ef800d951beb4b35c0c.exe

  • Size

    27KB

  • MD5

    0849dbb6b9806a5a8ba38ad93752e299

  • SHA1

    08c0c9fa51fe9476114faf5f069e3cf54171d438

  • SHA256

    bdb0b97b0c573b1f76593bd6b26908624791b9eff0ed8ef800d951beb4b35c0c

  • SHA512

    6cf88331823bd2edda69944efdef3947ba6054ec349d7213af6f50296eb7e3dcb782703cde700e4b44dc3a93b527bdee6e3350dab85780fa6449fa9f83126b0c

  • SSDEEP

    384:9E1799xP6DUbQnP3S2WlkhOTM/Yt0iTH7ns7kOUWrdKU+muPexp0yS/dRIo:9k99xPjkPNWKwMQvTHrD+hqNGEDdf

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdb0b97b0c573b1f76593bd6b26908624791b9eff0ed8ef800d951beb4b35c0c.exe
    "C:\Users\Admin\AppData\Local\Temp\bdb0b97b0c573b1f76593bd6b26908624791b9eff0ed8ef800d951beb4b35c0c.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BDB0B9~1.EXE >> NUL
      2⤵
        PID:1440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\201476D0.dll
      Filesize

      17KB

      MD5

      5a7d2a1a207566097a29ac76e369bd4c

      SHA1

      84beb1b1675239363cc0c3701e980d0a78e6f116

      SHA256

      1772be8e8e7cbb531516204f2896d04a61f0fe44058681e4f3db04d83b526608

      SHA512

      3d9fde097a707389a90425e244dc1666af64a1c98fe9e6a1b2a2cfb21f261d5fd1ceff8f394ba3311a8d0928d6934729a14a335b2747006f99a61c2c40120ae2

      Download Submit

    • memory/4876-132-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4876-134-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-136-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download