Analysis

  • max time kernel
    152s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 03:50

General

  • Target

    8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe

  • Size

    383KB

  • MD5

    f933bf16ab327dde3bbd1edf8904ca24

  • SHA1

    80fffd5994081d4e448b316313fb6ba02403c449

  • SHA256

    8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f

  • SHA512

    a3ad122a2eae7e824723a42a153c7e2c4421dd24804ec262f68c66c074a4e548ec2d6fd3c4909493e24fd3cf37ffe55048459199c85ef491a89297254d8678c0

  • SSDEEP

    6144:rs84tsv9slNSxY2Nc2EzpTPPy4AbE47WfA8RwpEP4h:rf4tu9slNSq2N7a9LmEjIma

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\Desktop\notepad.exe
      "C:\Users\Admin\Desktop\notepad.exe"
      2⤵
      • Executes dropped EXE
      PID:2444
    • C:\Users\Admin\Desktop\calc.exe
      "C:\Users\Admin\Desktop\calc.exe"
      2⤵
      • Executes dropped EXE
      PID:4916

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\calc.exe

          Filesize

          56KB

          MD5

          e600b4d8d232484f43d7942a475b5709

          SHA1

          c053b63428fd9618593691b8e9c2f5a885631ece

          SHA256

          a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

          SHA512

          d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

        • C:\Users\Admin\Desktop\calc.exe

          Filesize

          56KB

          MD5

          e600b4d8d232484f43d7942a475b5709

          SHA1

          c053b63428fd9618593691b8e9c2f5a885631ece

          SHA256

          a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

          SHA512

          d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

        • C:\Users\Admin\Desktop\notepad.exe

          Filesize

          69KB

          MD5

          8aec89c7cc076ed378baa4dab7cb09e2

          SHA1

          caf84e588017a7098561a62e291dfa1a4f01db73

          SHA256

          f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

          SHA512

          a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

        • C:\Users\Admin\Desktop\notepad.exe

          Filesize

          69KB

          MD5

          8aec89c7cc076ed378baa4dab7cb09e2

          SHA1

          caf84e588017a7098561a62e291dfa1a4f01db73

          SHA256

          f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

          SHA512

          a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

        • memory/4916-138-0x0000000001000000-0x0000000001028000-memory.dmp

          Filesize

          160KB