Overview

overview

7

Static

static

3622aaa168...30.exe

windows7-x64

3

3622aaa168...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    188s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe

  • Size

    12.3MB

  • MD5

    539f578b64798adbc2e7fd533ab5f3df

  • SHA1

    584787deede001f3ea3de929fa179dc0d1779e16

  • SHA256

    3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530

  • SHA512

    388f9930653152fc7108ef842782355188415069737287c9a8bff4f595da6cd112ef3c471cd44f1463be3d8edddcdb6868a99743ca72775cd921cdd643e7dceb

  • SSDEEP

    196608:dog5iYnsuJhm2ftgF2X+AsIBDcNQlKnLGWcNNsQb2xd9fY61bHEoQebtG:dog5iYnsuzm217hALGWONsQiLlOeU

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe
    "C:\Users\Admin\AppData\Local\Temp\3622aaa168be721c29dd27f8d8438f0801fcb26a1c83861e91fed729582dc530.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c .\Setup.bat
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\WINDOWS\SysWOW64\msiexec.exe
        C:\WINDOWS\system32\msiexec.exe /x {0F42CE41-25C8-43E8-878E-61C5D0B1BB00} /quiet
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRADllCom.msi" /passive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3168
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRAConfig.msi" /passive
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3280
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRAMainClt.msi" /passive
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:4568
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3760
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 208AA9047903F9AA4069ADAD9BA1316C
        2⤵
        • Loads dropped DLL
        PID:4352
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 0B4CC7057FCB540495C2DAB0AB2C7D5C
        2⤵
        • Loads dropped DLL
        PID:3140
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2788

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRAConfig.msi
      Filesize

      204KB

      MD5

      cdd030561462af7cae58440d50a90eee

      SHA1

      0c92244e85b1c8c62fe97fb9ff7c786fefde92a2

      SHA256

      2058ea4907f78e5920538bbb1b24f5dee973dba8fb1411b61504f85612644696

      SHA512

      d89d66e6f0130431f125d4c5e89a02e48f3700b4c5339a6471139310796198f8e92a35dbde95ace4e15c1323209c5bc9af90eac2b7845af90f7c3c952dec288d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRADllCom.msi
      Filesize

      10.6MB

      MD5

      ed46088ab1bab6ceffe89cc640419cd6

      SHA1

      57f0157430f30fc6acad4e8c910315baa6aef9b6

      SHA256

      a3b3ce84787711f2614703957bcdc1e2b830246be192f004c0b9afea02ff0061

      SHA512

      90dff963460082bfcb91f091c2f9643073ac224a89538b5388f3a586bbae1b3dda4890c9734b92b23ed5308ce1291dd553a8403994c4fccddad7408938d48c3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\GeitRAMainClt.msi
      Filesize

      1.9MB

      MD5

      2515639822caac1baeb867cead4871af

      SHA1

      ee5864762238c639cf8f30e74f4704702ce814cb

      SHA256

      4f20b028331a911717dd1125a7f6c9a1fe13c6b959c3b3ccfba4d6c6c278a00d

      SHA512

      92fc39952de2b2b527c484a1d06d7f42a00e3c9f2d0b805a81b047f2dbd1251ad9ed84f6d54948450a47c1a0e2d821fc52a0edc0d61d7bfec7a2cd5f1b4ffa89

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zS2933.tmp\setup.bat
      Filesize

      644B

      MD5

      42b2c59f4007d67d69fc0564177b4867

      SHA1

      9f03b8eee97fa731d3e34c418f3af744f8904e56

      SHA256

      088d445aca4a3cfa757ebdf273fa959afca86cd5587c45ebddea4c4bd6a8531e

      SHA512

      77cdd2eb002ab065716c94067ebfc17f42cb37811df46c5e4ed53d5e0a87979c72c9c3d48a2e5096ad4893b2ae1e187e3e97e1c6798b0179e7643f01b20f5f98

      Download Submit

    • C:\Windows\Installer\MSI1812.tmp
      Filesize

      26KB

      MD5

      ff1591dd7cc76baa17a7b11d8b4908fe

      SHA1

      f0e240c01598c56d8d1ab929c6f3b9387db9fc6d

      SHA256

      0f73b21436520f5c3854d2d98d13d97626462836e214b0746c2a7f4dc654a09d

      SHA512

      ede2d4c90c8eb241197876d1987571633ab33425799b129743b14bfc2c6f45c1ccc477b78f39a1220e25e8c93bdf47b1d2cb67754fc6eda771839e9d9a97ffb5

      Download Submit

    • C:\Windows\Installer\MSI1812.tmp
      Filesize

      26KB

      MD5

      ff1591dd7cc76baa17a7b11d8b4908fe

      SHA1

      f0e240c01598c56d8d1ab929c6f3b9387db9fc6d

      SHA256

      0f73b21436520f5c3854d2d98d13d97626462836e214b0746c2a7f4dc654a09d

      SHA512

      ede2d4c90c8eb241197876d1987571633ab33425799b129743b14bfc2c6f45c1ccc477b78f39a1220e25e8c93bdf47b1d2cb67754fc6eda771839e9d9a97ffb5

      Download Submit

    • C:\Windows\Installer\MSI24B7.tmp
      Filesize

      26KB

      MD5

      ff1591dd7cc76baa17a7b11d8b4908fe

      SHA1

      f0e240c01598c56d8d1ab929c6f3b9387db9fc6d

      SHA256

      0f73b21436520f5c3854d2d98d13d97626462836e214b0746c2a7f4dc654a09d

      SHA512

      ede2d4c90c8eb241197876d1987571633ab33425799b129743b14bfc2c6f45c1ccc477b78f39a1220e25e8c93bdf47b1d2cb67754fc6eda771839e9d9a97ffb5

      Download Submit

    • C:\Windows\Installer\MSI24B7.tmp
      Filesize

      26KB

      MD5

      ff1591dd7cc76baa17a7b11d8b4908fe

      SHA1

      f0e240c01598c56d8d1ab929c6f3b9387db9fc6d

      SHA256

      0f73b21436520f5c3854d2d98d13d97626462836e214b0746c2a7f4dc654a09d

      SHA512

      ede2d4c90c8eb241197876d1987571633ab33425799b129743b14bfc2c6f45c1ccc477b78f39a1220e25e8c93bdf47b1d2cb67754fc6eda771839e9d9a97ffb5

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      3.0MB

      MD5

      ebe655d742f2dcb534b20e05e440d49c

      SHA1

      79a2cf310fe2595637be4ad3ea7538eade7f8f60

      SHA256

      849add3fd79185d968b7b0202ce5993064d65c2b816bd4cd47f72e50eb2f158a

      SHA512

      b57198cba70379cda6b26b19ad149facc8584318e0c5873d9effbdf99c2954defb65b9c9b7add10550b92e6a2e5e5b533150389993145b649123a1e6ba904b68

      Download Submit

    • \??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8910c9eb-cda5-4add-bd6a-161923d13028}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      8b1d1550b7234fafd2174902fa6ffc52

      SHA1

      c5d8b9ea0e9dad76e2b1bada82c009faf452a692

      SHA256

      08a9215c57171d3acd935fffe769aeb8672d3184e3056443b28fddbb8cff5c98

      SHA512

      251fd99b6c20bb555d4d243a8d69f481b7cb5fb6efaa71b28705be4b65297b7d72fe5c4910519ad8468ff7cc523531fc637c3053b6c557d524179d14dfed7fff

      Download Submit

    • memory/1912-132-0x0000000000000000-mapping.dmp

      Download

    • memory/3140-143-0x0000000000000000-mapping.dmp

      Download

    • memory/3168-136-0x0000000000000000-mapping.dmp

      Download

    • memory/3280-142-0x0000000000000000-mapping.dmp

      Download

    • memory/3760-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4352-138-0x0000000000000000-mapping.dmp

      Download

    • memory/4420-134-0x0000000000000000-mapping.dmp

      Download

    • memory/4568-149-0x0000000000000000-mapping.dmp

      Download