Overview

overview

8

Static

static

5980a7857b...96.exe

windows7-x64

8

5980a7857b...96.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5980a7857bf1148e922bf42a09bdc511584ed4a15416781269baf483ffc33096.exe

  • Size

    286KB

  • MD5

    9dadfc53bb6a731f4addecf7fe33897e

  • SHA1

    cf05bc7ad0a13baf3890b19a9afbafc7cb0ac193

  • SHA256

    5980a7857bf1148e922bf42a09bdc511584ed4a15416781269baf483ffc33096

  • SHA512

    fffa823c000a2a0332981426b9978865aa41b3ebfa0902af971e935840297ef33a2a049b02f5234f564ca6d3a7ed9d6d6a419a309b8bd731ee5edc4163c45b28

  • SSDEEP

    6144:XwaPq72adX5H9+nvDHzAV+VoT2de+QUAAL3cj539:Xwaa2epwvDHzOx4VB3YB9

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5980a7857bf1148e922bf42a09bdc511584ed4a15416781269baf483ffc33096.exe
    "C:\Users\Admin\AppData\Local\Temp\5980a7857bf1148e922bf42a09bdc511584ed4a15416781269baf483ffc33096.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe
      "C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        3⤵
          PID:4040
    • C:\Windows\Hacker.com.cn.exe
      C:\Windows\Hacker.com.cn.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:260

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\MSInfo\Server_Setup.exe
        Filesize

        270KB

        MD5

        282728e8cf879da1166c69804848fde4

        SHA1

        1106f1958cbf6ef9afa62490eb2ff27a774598a2

        SHA256

        5cb27cad28849469ba50b8c62917c561f5dd5862e3aaef7cc1a23beb819b57db

        SHA512

        68ca7afcbaae18a5af5a3e9b87b87eabe3c5f6ec97df427e048ea7b27117c3bc24d5b676d532616d0d046c705702f8776acb4118616598501fe452d70f1b29fa

        Download Submit

      • C:\Windows\Hacker.com.cn.exe
        Filesize

        270KB

        MD5

        282728e8cf879da1166c69804848fde4

        SHA1

        1106f1958cbf6ef9afa62490eb2ff27a774598a2

        SHA256

        5cb27cad28849469ba50b8c62917c561f5dd5862e3aaef7cc1a23beb819b57db

        SHA512

        68ca7afcbaae18a5af5a3e9b87b87eabe3c5f6ec97df427e048ea7b27117c3bc24d5b676d532616d0d046c705702f8776acb4118616598501fe452d70f1b29fa

        Download Submit

      • C:\Windows\Hacker.com.cn.exe
        Filesize

        270KB

        MD5

        282728e8cf879da1166c69804848fde4

        SHA1

        1106f1958cbf6ef9afa62490eb2ff27a774598a2

        SHA256

        5cb27cad28849469ba50b8c62917c561f5dd5862e3aaef7cc1a23beb819b57db

        SHA512

        68ca7afcbaae18a5af5a3e9b87b87eabe3c5f6ec97df427e048ea7b27117c3bc24d5b676d532616d0d046c705702f8776acb4118616598501fe452d70f1b29fa

        Download Submit

      • C:\Windows\uninstal.bat
        Filesize

        190B

        MD5

        748359b8db32273bc6f3f4b050b8b86b

        SHA1

        f30e73e970b4277fb39004b3b5833a79e6f4762d

        SHA256

        bd92c1a1c66403d13d1da9143ce6d7db2a4dcbdee6bd58899174406407f7b803

        SHA512

        e02ecbb038f1ff075201d551eddb74252b7fa4582b0c10cfdaedf3845e1997bf9e2cb8d2b8a55318fb9072d7b777cf53d9df348dec467160a9e8b7a794b4556d

        Download Submit

      • C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe
        Filesize

        270KB

        MD5

        282728e8cf879da1166c69804848fde4

        SHA1

        1106f1958cbf6ef9afa62490eb2ff27a774598a2

        SHA256

        5cb27cad28849469ba50b8c62917c561f5dd5862e3aaef7cc1a23beb819b57db

        SHA512

        68ca7afcbaae18a5af5a3e9b87b87eabe3c5f6ec97df427e048ea7b27117c3bc24d5b676d532616d0d046c705702f8776acb4118616598501fe452d70f1b29fa

        Download Submit

      • memory/728-135-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/728-136-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/728-142-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1752-139-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1752-140-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1752-144-0x0000000000400000-0x000000000050B000-memory.dmp

        Filesize

        1.0MB

        Download