Overview

overview

8

Static

static

1cf515f370...6a.exe

windows7-x64

8

1cf515f370...6a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 14:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe

  • Size

    122KB

  • MD5

    53ebe3efa9bdad1a2af74252ccf19bd2

  • SHA1

    74e3bea45a504edd34ac009c5abcc56f477617b9

  • SHA256

    1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

  • SHA512

    6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

  • SSDEEP

    3072:TAY9SuJNW8CZ+zTyxvJ530A3RAVavmyKoSiZBtJ:TPX69ZMyxx5kA3RAVauZoSiZ7

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
    "C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe"
    1⤵
    • Checks computer location settings
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\ProgramData\eHBOuTw3.exe
      "C:\ProgramData\eHBOuTw3.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      PID:3428
    • C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
      "C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe"
      2⤵
      • Checks computer location settings
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\ProgramData\eHBOuTw3.exe
        "C:\ProgramData\eHBOuTw3.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        PID:3364
      • C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
        "C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\ProgramData\eHBOuTw3.exe
          "C:\ProgramData\eHBOuTw3.exe"
          4⤵
          • Executes dropped EXE
          PID:4684

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\eHBOuTw3.exe
          Filesize

          122KB

          MD5

          53ebe3efa9bdad1a2af74252ccf19bd2

          SHA1

          74e3bea45a504edd34ac009c5abcc56f477617b9

          SHA256

          1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

          SHA512

          6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

          Download Submit

        • C:\ProgramData\eHBOuTw3.exe
          Filesize

          122KB

          MD5

          53ebe3efa9bdad1a2af74252ccf19bd2

          SHA1

          74e3bea45a504edd34ac009c5abcc56f477617b9

          SHA256

          1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

          SHA512

          6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

          Download Submit

        • C:\ProgramData\eHBOuTw3.exe
          Filesize

          122KB

          MD5

          53ebe3efa9bdad1a2af74252ccf19bd2

          SHA1

          74e3bea45a504edd34ac009c5abcc56f477617b9

          SHA256

          1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

          SHA512

          6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

          Download Submit

        • C:\ProgramData\eHBOuTw3.exe
          Filesize

          122KB

          MD5

          53ebe3efa9bdad1a2af74252ccf19bd2

          SHA1

          74e3bea45a504edd34ac009c5abcc56f477617b9

          SHA256

          1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

          SHA512

          6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

          Download Submit

        • C:\ProgramData\eHBOuTw3.exe
          Filesize

          122KB

          MD5

          53ebe3efa9bdad1a2af74252ccf19bd2

          SHA1

          74e3bea45a504edd34ac009c5abcc56f477617b9

          SHA256

          1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

          SHA512

          6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

          Download Submit

        • memory/3240-162-0x0000000001FA0000-0x0000000001FE6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3240-164-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3240-161-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3240-160-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3364-156-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3364-152-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3364-153-0x00000000020B0000-0x00000000020F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3364-154-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3364-157-0x00000000020B0000-0x00000000020F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3428-144-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3428-138-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3428-140-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/3428-139-0x00000000020E0000-0x0000000002126000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-141-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-142-0x00000000005B0000-0x00000000005F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-133-0x00000000005B0000-0x00000000005F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-134-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-132-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-146-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4368-143-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4592-159-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4592-149-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4592-147-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4592-148-0x00000000005A0000-0x00000000005E6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4592-155-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4684-167-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4684-168-0x0000000002090000-0x00000000020D6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4684-169-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download