Overview

overview

7

Static

static

3d2aae30ba...42.exe

windows7-x64

4

3d2aae30ba...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d2aae30ba5c2464b11538d5b36d2e0edadc7749dd8c614172c689c5b87b7e42.exe

  • Size

    640KB

  • MD5

    016a14639bfbedc80ee46d77d4667e35

  • SHA1

    a6921feb8c3c969090bdf9d2acb3a3ed0b92b56b

  • SHA256

    3d2aae30ba5c2464b11538d5b36d2e0edadc7749dd8c614172c689c5b87b7e42

  • SHA512

    56666b809dda3b39d3f84dbd8ddabad9450eecad8392ce3968e9531351543e5b7938cbe1b49304a5cd1a45c5e725e18c21847ee831e058d9a13a8ab0325c5c13

  • SSDEEP

    6144:nFYFN2CESrfI067dvxzEqjC0nzHHGSukYJ2cKLERd3lhv1do8hl3Xe69UfckT:nFMocfIv7DzEqjrn2twEj3v1PNkT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d2aae30ba5c2464b11538d5b36d2e0edadc7749dd8c614172c689c5b87b7e42.exe
    "C:\Users\Admin\AppData\Local\Temp\3d2aae30ba5c2464b11538d5b36d2e0edadc7749dd8c614172c689c5b87b7e42.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\KWOEi.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\kingsoft.cab" -F:*.* "C:\progra~1\kingsoft"
        3⤵
        • Drops file in Program Files directory
        PID:4216
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v989.com/?xy
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    1520b1f0e8660cc8553264ce46871efd

    SHA1

    70c43f2c0b7599f782461590f8e1650a2df5dbfe

    SHA256

    8bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e

    SHA512

    6ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    1a4e2a8c401f4d686ccd64fd787e7b9b

    SHA1

    81478e02517de6133f58c4827e5d63c5816d1e8e

    SHA256

    67b491eb43bfc1aa5a0e1be5097cab8b956211babcddc4206d0d9c011412a5a0

    SHA512

    d33a03a73cc7d48e49041cf98c8863e15150cbb44515276dc582865f7f70c9a012bc579cbb9eea53f4686a26ae4059778c06f2eb947b0fceeb9e61043cd34a93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KWOEi.bat
    Filesize

    108B

    MD5

    7e088598ce2c636b6e9ca009fed77d5d

    SHA1

    017f9745191aae8555e7ade2db926350e8a2c19e

    SHA256

    c3d87b9342ad79a44d55a953b088c43f17c4e09543d5c9da4f29065c057f0148

    SHA512

    81d3eb04f8fbac072e532e1106a301de04c415797b713b2204fe7d00ace00b272a411e112ff4b8d5c15e1afeda124a6ad3c82edd8dc1b9b5d2176f7c013531df

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\kingsoft.cab
    Filesize

    320B

    MD5

    6745412fa325b9ffb5e32cb90a94156d

    SHA1

    b589eb32911a71793b886fa5ee578da7842f34f3

    SHA256

    fc57031274dd2917773c8ac14854a5d8c0cbe1d5464edc0f2fca37951f703798

    SHA512

    94ee1fe099ec8b6f9628a75603c6bc387f73e14a4a5eb900c02c9c154808e1c6eedc1798cb97d4bae99c769274f5756fbf450d8bdef41445b2450bd01e2ff9b4

    Download Submit