Overview

overview

8

Static

static

1

cab5f77fe8...6d.exe

windows7-x64

8

cab5f77fe8...6d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cab5f77fe8fb3e34b085e3d7cfe891ca9e2e3b40619404a6c915d12b311ad86d.exe

  • Size

    70KB

  • MD5

    232e49c7ba8391d7161babef4614ab7e

  • SHA1

    1dfd835200aac5019938067fce6ef826d0b090ac

  • SHA256

    cab5f77fe8fb3e34b085e3d7cfe891ca9e2e3b40619404a6c915d12b311ad86d

  • SHA512

    c082d25b0138a86ad2636b7ecea40621495c812a5c5ebe2a44c4ac14d10b08817697cbf1b03d98fc1b765ec6151ded78013d96f45ac55c58e4a30ec1d83c88b5

  • SSDEEP

    1536:mAhTyTTFQNC13U4rtnDb4tmJ2mUX7tblpAkQfFvIvQC:LhT2137DYmJJUX7tbbA5uvF

Score
8/10
upxvmprotect

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cab5f77fe8fb3e34b085e3d7cfe891ca9e2e3b40619404a6c915d12b311ad86d.exe
    "C:\Users\Admin\AppData\Local\Temp\cab5f77fe8fb3e34b085e3d7cfe891ca9e2e3b40619404a6c915d12b311ad86d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\252.exe
      "C:\252.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear.bat" "
        3⤵
          PID:3124
      • C:\DnfÁúÑÛ6.13.exe
        "C:\DnfÁúÑÛ6.13.exe"
        2⤵
        • Executes dropped EXE
        PID:3052

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\252.exe
      Filesize

      16KB

      MD5

      a9f257805603ed00bb5052016062e824

      SHA1

      6006892a85faa8d581c66b2230c85559b8321a38

      SHA256

      d490b4c5707b0f387c3084a45e8e2ed34b7495a66ffb364c4c6ea2ac09a7302d

      SHA512

      eb4f0e9580da238055ba20ac9393b5f6cf063016e111697a5bb35f47c72315d370364c160cba77df690a66257bd4bc40828fb70aebe7381aa61f6ff8667e7200

      Download Submit

    • C:\252.exe
      Filesize

      16KB

      MD5

      a9f257805603ed00bb5052016062e824

      SHA1

      6006892a85faa8d581c66b2230c85559b8321a38

      SHA256

      d490b4c5707b0f387c3084a45e8e2ed34b7495a66ffb364c4c6ea2ac09a7302d

      SHA512

      eb4f0e9580da238055ba20ac9393b5f6cf063016e111697a5bb35f47c72315d370364c160cba77df690a66257bd4bc40828fb70aebe7381aa61f6ff8667e7200

      Download Submit

    • C:\DnfÁúÑÛ6.13.exe
      Filesize

      59KB

      MD5

      db0d0929cc3d6671b7fe1d98fbeff658

      SHA1

      7a04a6d8d912b5ed293d160e50a79774df56d041

      SHA256

      1b55f28889cbe07816f50805a173dd12333bfb269787e91f8145cf8d727a91bf

      SHA512

      2d7783ef7aa64e74334c2049a2c17d2e8ae385222e9a9fc6ab0f95703c6818374029bf07e30bcdd45bba3e793e92ec0bbf0561603014cd1296f560d05d1126fb

      Download Submit

    • C:\DnfÁúÑÛ6.13.exe
      Filesize

      59KB

      MD5

      db0d0929cc3d6671b7fe1d98fbeff658

      SHA1

      7a04a6d8d912b5ed293d160e50a79774df56d041

      SHA256

      1b55f28889cbe07816f50805a173dd12333bfb269787e91f8145cf8d727a91bf

      SHA512

      2d7783ef7aa64e74334c2049a2c17d2e8ae385222e9a9fc6ab0f95703c6818374029bf07e30bcdd45bba3e793e92ec0bbf0561603014cd1296f560d05d1126fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\clear.bat
      Filesize

      76B

      MD5

      dd268c746af233a812c28d3dbc4fe47c

      SHA1

      63b6b9860b7ee528d8fe00404f3c3ec7e407bc2f

      SHA256

      aa8a695d5cc6a68c5f05b403d23ff205bbdf7b8ace7443b67818bc72f929d677

      SHA512

      28907b6db15cc752442a7b32520fa554fc99a10725a98588f4ce7191f7cbd3ce5a757cc4ffe7b01be4062574bf4788224b0bb4ef882839ce757a2d38baf1369c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jlfdnf.dll
      Filesize

      26KB

      MD5

      27718f9dcf10fb511effb947d2bf793d

      SHA1

      5914d008527dff61f2ef496961ec15314fb0a4f0

      SHA256

      81ccdd8114297d947526bdf95dbd70ecd2bd8c087acea7020ac53ea763fe0a4c

      SHA512

      2fb4a9c5f1b9493da16ea8771438af27d7b06a40a7512382d63397b3ede34ee1c23ac79ba94a27e99e82f6ca18b96c9d72d35029ca85be0b708998e0bb0ef117

      Download Submit

    • C:\Windows\SysWOW64\RasEngine.dat
      Filesize

      48KB

      MD5

      98c499fccb739ab23b75c0d8b98e0481

      SHA1

      0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

      SHA256

      d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

      SHA512

      9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

      Download Submit

    • memory/3988-140-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3988-141-0x0000000010000000-0x000000001000B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3988-143-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

      Download