Overview

overview

10

Static

static

DRAFT.exe

windows7-x64

10

DRAFT.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    62s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2022, 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DRAFT.exe

  • Size

    859KB

  • MD5

    eeef1bb50b50ea56de000b58d5d1af23

  • SHA1

    913f174bbe99536c02b13b814aece6618dd44d88

  • SHA256

    c8e6840e3aa32b2f68c912e0cd09d6956863418a7bb5cd552dc2fde563d53327

  • SHA512

    4845b3e98c4ab85ec65da6219464057bcd6fc3bfa0ae3f460c81c9d5bf93586f118deb433369779a3782deea9a34406830d2a7932e120b54087228ee4bf7f4bd

  • SSDEEP

    12288:32wnbnku/zUCyxjiurvwqFrl/FeYnjSScwGlW0b:3JnTkyy2urJFJ3jJ7g

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
    "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VJZbyPULlZx.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3412
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VJZbyPULlZx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4074.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2424
    • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
      "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
      2⤵
        PID:4184
      • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
        "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
        2⤵
          PID:1464
        • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
          "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
          2⤵
            PID:3760
          • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
            "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
            2⤵
              PID:2796
            • C:\Users\Admin\AppData\Local\Temp\DRAFT.exe
              "C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"
              2⤵
                PID:1716

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp4074.tmp
              Filesize

              1KB

              MD5

              8c536c3faa3059aa6facd38d196029bd

              SHA1

              747cabe84b08ad8d7cf749364236a0f89a05c010

              SHA256

              3b5c43ea049abb4ea39211efb889efc67a05598932915bc9488fcce70b28ff40

              SHA512

              1b63efb366bedc2c2933aaced6cfd6b2b81d0ff7050025f6cbbec3d1de8b0689ab77a60f05a5d4fc342d8ce2ba553d01be688bd7f979062e9b88a7b6fdc3cc71

              Download Submit

            • memory/2268-133-0x0000000005F70000-0x0000000006514000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2268-134-0x00000000059C0000-0x0000000005A52000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2268-135-0x00000000033B0000-0x00000000033BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2268-136-0x0000000009590000-0x000000000962C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2268-137-0x00000000099C0000-0x0000000009A26000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2268-132-0x0000000000E20000-0x0000000000EFC000-memory.dmp

              Filesize

              880KB

              Download

            • memory/3412-148-0x0000000004B90000-0x0000000004BB2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3412-156-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3412-142-0x0000000004E50000-0x0000000005478000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/3412-140-0x0000000002200000-0x0000000002236000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3412-160-0x0000000007170000-0x0000000007178000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3412-149-0x0000000004C30000-0x0000000004C96000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3412-150-0x00000000048D0000-0x00000000048EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3412-151-0x0000000006110000-0x0000000006142000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3412-152-0x00000000736D0000-0x000000007371C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3412-153-0x00000000060D0000-0x00000000060EE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3412-154-0x0000000007490000-0x0000000007B0A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/3412-155-0x0000000006E40000-0x0000000006E5A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3412-159-0x0000000007180000-0x000000000719A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3412-157-0x00000000070C0000-0x0000000007156000-memory.dmp

              Filesize

              600KB

              Download

            • memory/3412-158-0x0000000007080000-0x000000000708E000-memory.dmp

              Filesize

              56KB

              Download