Overview

overview

8

Static

static

1

195381503e...d7.exe

windows7-x64

8

195381503e...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 14:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    195381503ee6f2f3b4af0ada7fbffd783772612bd7da90d5c9bea4404e147fd7.exe

  • Size

    137KB

  • MD5

    6dfc0ed2ed2b17423ac2b95cde9c32b6

  • SHA1

    23ca73dc9f6b5184316c19d89b0650e5fd5b8919

  • SHA256

    195381503ee6f2f3b4af0ada7fbffd783772612bd7da90d5c9bea4404e147fd7

  • SHA512

    ca20f19ea1af6c494528c2cb8f894fa6a20999fb30a7aad8f978a2c7709aaffd40c00aee918d6e5a79ea43652598ca3cd5350a8f92947837c4331e603f92256d

  • SSDEEP

    3072:DQIURTXJ+M7ssvRwHH20gfZJ0a5eDAnWzKyu+VrNd7Ip:Ds9xRw20iWzlIp

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\195381503ee6f2f3b4af0ada7fbffd783772612bd7da90d5c9bea4404e147fd7.exe
    "C:\Users\Admin\AppData\Local\Temp\195381503ee6f2f3b4af0ada7fbffd783772612bd7da90d5c9bea4404e147fd7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
      C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 512
        3⤵
        • Program crash
        PID:4708
      • C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
        C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3772
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 744
          4⤵
          • Program crash
          PID:2576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4816 -ip 4816
    1⤵
      PID:4788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3772 -ip 3772
      1⤵
        PID:2164

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
              Filesize

              79KB

              MD5

              a55aa5c7986dcb7f87e736e47b9c1010

              SHA1

              46260e62c30a3837cb2c16a2d8c0471ac6e08c7f

              SHA256

              f3ca5724754554610c536d41b4b9b7e6918844f52cd13f44214f2c61ad8383d8

              SHA512

              d9fa3c70c7f39a86b8d39729102ec3f69ba078b49da25d6ebf6b88b3a4ca18fdcf33e8ffddf04dbb2b00ed322d02a0b67cc55988f6432eb2219b3bfc74e4ebe3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
              Filesize

              79KB

              MD5

              a55aa5c7986dcb7f87e736e47b9c1010

              SHA1

              46260e62c30a3837cb2c16a2d8c0471ac6e08c7f

              SHA256

              f3ca5724754554610c536d41b4b9b7e6918844f52cd13f44214f2c61ad8383d8

              SHA512

              d9fa3c70c7f39a86b8d39729102ec3f69ba078b49da25d6ebf6b88b3a4ca18fdcf33e8ffddf04dbb2b00ed322d02a0b67cc55988f6432eb2219b3bfc74e4ebe3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mggkasxz.exe
              Filesize

              79KB

              MD5

              a55aa5c7986dcb7f87e736e47b9c1010

              SHA1

              46260e62c30a3837cb2c16a2d8c0471ac6e08c7f

              SHA256

              f3ca5724754554610c536d41b4b9b7e6918844f52cd13f44214f2c61ad8383d8

              SHA512

              d9fa3c70c7f39a86b8d39729102ec3f69ba078b49da25d6ebf6b88b3a4ca18fdcf33e8ffddf04dbb2b00ed322d02a0b67cc55988f6432eb2219b3bfc74e4ebe3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\setup.dat
              Filesize

              57KB

              MD5

              869450b6fc847af6a2b7f684c1f97d20

              SHA1

              5c73dff1f6bb6d789ca13a0c47a2fc99dca20ec0

              SHA256

              85f585ed7891e51ab9b163d1aa9a6bc28b3198784351deabe0e59a58677cba7c

              SHA512

              0f453a1066bf200e5d3b624ce9fc33fdc534f94bcaa836c12a3f34204d65bae1aabeab36e4dc28efd8758d85965cecdb0a084a28943e355e7f15c384e5b7b970

              Download Submit

            • memory/3772-136-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3772-140-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/3772-142-0x0000000010000000-0x000000001000F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/3772-146-0x0000000000400000-0x0000000000405000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4816-139-0x0000000002240000-0x0000000002244000-memory.dmp

              Filesize

              16KB

              Download