Overview

overview

8

Static

static

d14ef93f21...89.exe

windows7-x64

8

d14ef93f21...89.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    85s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d14ef93f21ddedb8940c70e506b6dfd56d3c177e548550a838e353ea2e39c389.exe

  • Size

    241KB

  • MD5

    5659090289c4985c64d439127bf5d560

  • SHA1

    9787f193b693393c7ed21caa06fef116d9fd70c0

  • SHA256

    d14ef93f21ddedb8940c70e506b6dfd56d3c177e548550a838e353ea2e39c389

  • SHA512

    24dddbca0bea99a05e54b0108a4af8d2013914a6881285f122fee9ede0f6973e78bd2a3c9023631f18ea1e7c334a4384cee053af4c7062645d8ad6f7dbc2daa9

  • SSDEEP

    6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxmWNFJt+lWHGaf1:lXmwRo+mv8QD4+0N46NKxZNTyOf1

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d14ef93f21ddedb8940c70e506b6dfd56d3c177e548550a838e353ea2e39c389.exe
    "C:\Users\Admin\AppData\Local\Temp\d14ef93f21ddedb8940c70e506b6dfd56d3c177e548550a838e353ea2e39c389.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\YaHun\Poaaa\mirniatom.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\YaHun\Poaaa\alkoid.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\YaHun\Poaaa\alkoid.vbs
    Filesize

    143B

    MD5

    35825a3549a21b4d733a428fb71676ec

    SHA1

    454323932e4af655cd681cbbc262439afc71d30d

    SHA256

    1dc0bc6d92302ed6d0bb539e5e69ffbcbfd670077efd8eae6537076a5c894c1d

    SHA512

    4e8d9b3ee23f9d27a97c6edc1a5c2d8b73a84022d9330d2440a51e7c145657a22801beda721267d34af17e1154b499a3de9ad77a7674d13fb9abd6ad7db5ddb6

    Download Submit

  • C:\Program Files (x86)\YaHun\Poaaa\iosdbfvadj.jka
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\YaHun\Poaaa\mirniatom.bat
    Filesize

    1KB

    MD5

    57b2932b3cdb9b7748313e3f05415f93

    SHA1

    c0046d4d54842817a68fe9752608f0add9f7c05e

    SHA256

    b265906298f8134760f950b59535b16ffcff491c74bd904a9cb81306eea704ee

    SHA512

    baea747ae01d387ee69e534f7ee12294e0135cabbd64bf40b4b376f3d358c4e9da2b892814683669e55372b2f3dc4da8d1b922f2e8ad081a80b7218fcc343881

    Download Submit