Overview

overview

10

Static

static

923ddba976...0c.exe

windows7-x64

8

923ddba976...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    923ddba97681e865e9bf6adb97658732b4686447e52ae7732c564c095421550c.exe

  • Size

    202KB

  • MD5

    739e7e662d57814528accf5f7af266f0

  • SHA1

    32f88e853301464d62ab94a722c54af9bdf1310e

  • SHA256

    923ddba97681e865e9bf6adb97658732b4686447e52ae7732c564c095421550c

  • SHA512

    2e5d110c8fa82af6defb85c3019907c9ab5ab599aecc2fa3d6487e4ca459a7493096030ca0ddee22afd8ece25af9c92872d0023e5543ed531df1c29018e1c682

  • SSDEEP

    3072:BvwZfCyHENIIK7yfhLVII7f7bF/h9g+PlISxl+LeiXt7p7gLiiI93jJr2zs5:BMVHK/jIIzN/3PlISxlLSt9lTN2z0

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 11 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\923ddba97681e865e9bf6adb97658732b4686447e52ae7732c564c095421550c.exe
    "C:\Users\Admin\AppData\Local\Temp\923ddba97681e865e9bf6adb97658732b4686447e52ae7732c564c095421550c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\inlFBFB.tmp
        C:\Users\Admin\AppData\Local\Temp\inlFBFB.tmp amd-k5p4g.tmp
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1256
          • C:\Users\Admin\AppData\Local\Temp\lie38FF.tmp
            C:\Users\Admin\AppData\Local\Temp\lie38FF.tmp
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:992
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4312
              • C:\Windows\SysWOW64\PING.EXE
                ping 88.99.00.00
                7⤵
                • Runs ping.exe
                PID:4556
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                7⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Drops desktop.ini file(s)
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                • Modifies registry class
                PID:1292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\923DDB~1.EXE > nul
      2⤵
        PID:4628
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\RECYCLERMD4"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4784
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX\desktop.ini"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4652
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\amd-k5p4g.tmp
      Filesize

      762B

      MD5

      0a2553f4124abf2bbcabebbc351e854d

      SHA1

      f711f372d5eb8923a070d90ac987430286e443b1

      SHA256

      7668062e8620f463bc3e393f8f733626dec0181af5b95edeaa4ba3bc5c4cdf63

      SHA512

      0e0a22bff586569ea85efc3a67f719309adb052b5a83218cdad120c45b0cb1ed338c026ca2bba145074beb09777f2068231c94b895253edadbf6f30625d192c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inlFBFB.tmp
      Filesize

      172.6MB

      MD5

      3cfc32d46ce127aa7a856b482adfea34

      SHA1

      6e391fcbac8ca993507f9e602a282f8a57e2e2a2

      SHA256

      74c8c87da3bca4451351e90f12e95aa1bb8a4b9047b5176a62581420f70a2d62

      SHA512

      4aa9e1566824c9dcf3c0fe0744c41814d9f2a53f14aaa2490b4cefc9533773fb0314bfdc67dc51a7ef7c95e5b9c86792d0a9064eb34befe9d6b562b432e4d2f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inlFBFB.tmp
      Filesize

      172.6MB

      MD5

      3cfc32d46ce127aa7a856b482adfea34

      SHA1

      6e391fcbac8ca993507f9e602a282f8a57e2e2a2

      SHA256

      74c8c87da3bca4451351e90f12e95aa1bb8a4b9047b5176a62581420f70a2d62

      SHA512

      4aa9e1566824c9dcf3c0fe0744c41814d9f2a53f14aaa2490b4cefc9533773fb0314bfdc67dc51a7ef7c95e5b9c86792d0a9064eb34befe9d6b562b432e4d2f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lie38FF.tmp
      Filesize

      172.5MB

      MD5

      12ef3e8dcc63539f86ad83f0e0ec666a

      SHA1

      c99990cfc478c3e6e6f524884a3304beb8c9a4e2

      SHA256

      af4fa58fb8c5197ad016ade3e52eedc95d1a7f8f63e03eb3b8bf44ee508bb983

      SHA512

      842d9afdb310bb7e6e1a01ccb40e2f5f9f6128918490e9ca8e0bdd3d6c89046b3b4a900853daf828ec44df290d0a5100874e1ae117a6ff69bea4c310dd59436e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lie38FF.tmp
      Filesize

      172.5MB

      MD5

      12ef3e8dcc63539f86ad83f0e0ec666a

      SHA1

      c99990cfc478c3e6e6f524884a3304beb8c9a4e2

      SHA256

      af4fa58fb8c5197ad016ade3e52eedc95d1a7f8f63e03eb3b8bf44ee508bb983

      SHA512

      842d9afdb310bb7e6e1a01ccb40e2f5f9f6128918490e9ca8e0bdd3d6c89046b3b4a900853daf828ec44df290d0a5100874e1ae117a6ff69bea4c310dd59436e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
      Filesize

      59B

      MD5

      8b8b596fe87ee497b7f8ba239fe58404

      SHA1

      54b73a793f47f9f560adc55c832af1523014b627

      SHA256

      97086163d9c65067152a6c377a494f8650360306abe0d17af36c5f28c3ed8ed0

      SHA512

      3681ef62661a32e67f717df537746d1c07eb28a2fadd1fdfa5da0b39e214d9a17c415bfb6b99d9d49c8da34079e966f5f3248c38cefe55d7581fc1350f8c4014

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat
      Filesize

      45B

      MD5

      da3663bc6d59fcfec5e0eedaf5c092d3

      SHA1

      45e721e855351aa4be56e558b59328ae5e5882d3

      SHA256

      ea56c5d37e14a08cd9c5638793168496b35427632401726f48a25b1eb6e2e6ca

      SHA512

      f8bc5322d01589d16f6560b6e5c5d52d26d88f3fe4a00e3517dab0e9e392e3521744a60ba3aaf667ebd1c2184630fae2383315820d50cb8a689ad18915ada70c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat
      Filesize

      70B

      MD5

      edea5cd5060d69b6c558fea75e330a67

      SHA1

      929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

      SHA256

      1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

      SHA512

      adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
      Filesize

      98B

      MD5

      8663de6fce9208b795dc913d1a6a3f5b

      SHA1

      882193f208cf012eaf22eeaa4fef3b67e7c67c15

      SHA256

      2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

      SHA512

      9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta
      Filesize

      7KB

      MD5

      f38adb87bebf80645d5751d5a8dc37cc

      SHA1

      effbe37e2d0308d7575731ef04738c492918bda9

      SHA256

      cee7d9f81375f3bcfd21e249a053b7075cdea96d72d51631227ecb5b656994e5

      SHA512

      ff08458d396ffca51acd7c8e8af6e3ddb8b93221179d44bf1d5dafacb0dd0f0c925222b1e7d58b91a12893c4ad998c37a92e0602461ad43686584a4a9f982a62

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
      Filesize

      425B

      MD5

      da68bc3b7c3525670a04366bc55629f5

      SHA1

      15fda47ecfead7db8f7aee6ca7570138ba7f1b71

      SHA256

      73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

      SHA512

      6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

      Download Submit

    • memory/1820-133-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1820-132-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4496-144-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4496-146-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4496-153-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download