Overview

overview

8

Static

static

099c3f5726...a8.exe

windows7-x64

8

099c3f5726...a8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    81s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    099c3f57260a402ea499b8117874bf40c14e95d73fe2b16a820a48bca721b1a8.exe

  • Size

    273KB

  • MD5

    534ce763231c19fa1755d7ebee777170

  • SHA1

    6f20a4bbb18ec4aa815230b36c81836f0f367a2b

  • SHA256

    099c3f57260a402ea499b8117874bf40c14e95d73fe2b16a820a48bca721b1a8

  • SHA512

    399d608fbdff31bf671de4197628ac80643479588f24d337bb23585306a9d3dd7d7ab8573fe26e48cfc73ebea2f727d6919de6f609b14138aa816fd1a3054b4b

  • SSDEEP

    6144:Zwq39u2lmKVaxDWivZUOzn6r3/dmU6bxUpPM5IGj58TaUHFZ:ZwuQ2AKAxDWi2Ozn6r3/4Bbx2MChhHFZ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\099c3f57260a402ea499b8117874bf40c14e95d73fe2b16a820a48bca721b1a8.exe
    "C:\Users\Admin\AppData\Local\Temp\099c3f57260a402ea499b8117874bf40c14e95d73fe2b16a820a48bca721b1a8.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\9204.vbs"
      2⤵
      • Deletes itself
      PID:2032
  • C:\Program Files (x86)\Ruubei kyqrc\Ccuqhia.exe
    "C:\Program Files (x86)\Ruubei kyqrc\Ccuqhia.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\9204.vbs
    Filesize

    500B

    MD5

    6e36610b01f0fccadf50be82307435bd

    SHA1

    b174b3ebe1fcbbdc18a0ece8ab4af5faddf684e2

    SHA256

    d05df2345da005ea2b96b0917b7537eb88744c2086db1fd1b47affd3381fff29

    SHA512

    c67be94c7e6b06a6d0886baac14b4286ef5bf709535fc240ec66571ea6f840097605cb9f122dfc627e26d4aa3df2928dd452efc01d1e21a6da251da7cfb04905

    Download Submit

  • C:\Program Files (x86)\Ruubei kyqrc\Ccuqhia.exe
    Filesize

    15.3MB

    MD5

    e693cb4f6bb6e2534d2a86a444d02d0a

    SHA1

    43f971bca16e4fbefd513b187ab40ef98e0e53c5

    SHA256

    8422badb32015b836ff35e6974fca12c0da9b9996e9aed4ce4555b5e78621377

    SHA512

    74e4ec0c5c2e23186ec81ca44c21e3b3a396a6948aacd94ce7333107aebe40c556caf14679ceefc4842e04d43938b46ee9a7bd9efc24f06bbb669002ba2c5323

    Download Submit

  • memory/856-54-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/856-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/856-56-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/856-61-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1124-59-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1124-64-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download