Overview

overview

8

Static

static

3e0bd85355...a9.exe

windows7-x64

8

3e0bd85355...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe

  • Size

    96KB

  • MD5

    67c3ef7b43566e275af9c20991dc4a2d

  • SHA1

    27e206b91a72320e78b198d6f5e26e53aad04730

  • SHA256

    3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9

  • SHA512

    fe58c4f7cfbaec86c1b5d776df25b19a2001e33c5470bba7e8bd95a9c5d65e788f2c81439dc70b57d1511bfbe607128fabceb3e0ae009a377d352e9761002379

  • SSDEEP

    1536:f4KTOGHcKhgnPZcHHTuipl/oUY3Fw8VLN:fpOYenPZcn3lgUYH

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe
    "C:\Users\Admin\AppData\Local\Temp\3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\coxlifaa.dll Exucute
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\SysWOW64\net.exe
        net stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop WinDefend
          4⤵
            PID:4132
        • C:\Windows\SysWOW64\net.exe
          net stop MpsSvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            4⤵
              PID:4912
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            3⤵
            • Launches sc.exe
            PID:3672
          • C:\Windows\SysWOW64\sc.exe
            sc config MpsSvc start= disabled
            3⤵
            • Launches sc.exe
            PID:4376
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" stop PolicyAgent
            3⤵
            • Launches sc.exe
            PID:2892
        • C:\Windows\SysWOW64\Rundll32.exe
          Rundll32 C:\Windows\system32\snpnifaa.dll Exucute
          2⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          PID:1984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BDC7.tmp
        Filesize

        4.3MB

        MD5

        6c7cdd25c2cb0073306eb22aebfc663f

        SHA1

        a1eba8ab49272b9852fe6a543677e8af36271248

        SHA256

        58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

        SHA512

        17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

        Download Submit

      • C:\Windows\SysWOW64\coxlifaa.dll
        Filesize

        53KB

        MD5

        210995930b8b604e08ffa28b72be5cf6

        SHA1

        1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

        SHA256

        f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

        SHA512

        e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

        Download Submit

      • C:\Windows\SysWOW64\coxlifaa.dll
        Filesize

        53KB

        MD5

        210995930b8b604e08ffa28b72be5cf6

        SHA1

        1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

        SHA256

        f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

        SHA512

        e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

        Download Submit

      • C:\Windows\SysWOW64\snpnifaa.dll
        Filesize

        19KB

        MD5

        969035e2164bd07b46d7b35ea766f47d

        SHA1

        d1ae955cf7524d1d0d2af10be7cc63649e7bc520

        SHA256

        2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

        SHA512

        160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

        Download Submit

      • C:\Windows\SysWOW64\snpnifaa.dll
        Filesize

        19KB

        MD5

        969035e2164bd07b46d7b35ea766f47d

        SHA1

        d1ae955cf7524d1d0d2af10be7cc63649e7bc520

        SHA256

        2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

        SHA512

        160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

        Download Submit