Overview

overview

8

Static

static

c6fa0ae06b...88.exe

windows7-x64

8

c6fa0ae06b...88.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe

  • Size

    158KB

  • MD5

    307377df5de60955137d5bb130fe00f0

  • SHA1

    355cb6156cb5a26b65b5fcbc2bbe6d811f07810e

  • SHA256

    c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88

  • SHA512

    6b74fcfef07ba1c54c7a95b09b180185466bf4c3c19116dc297fb45e961beb9507d5899733fd915a4af6f4b97e21c2c2dc0c499e04b8069f99e1958077956135

  • SSDEEP

    3072:+nj91tfUQINndIc0J+oWRPI5GeV+2IS8SFOL6Q4Kt/9X+5th:+jrei9WOg1SHbu/B+5th

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe
    "C:\Users\Admin\AppData\Local\Temp\c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\net.exe
        net stop wscsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop wscsvc
          4⤵
            PID:4904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
      Filesize

      76KB

      MD5

      ca8c0aca646aae4a7029ae898efc346d

      SHA1

      785ca48171fd02481769f46d504897f025f42d41

      SHA256

      67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

      SHA512

      7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
      Filesize

      76KB

      MD5

      ca8c0aca646aae4a7029ae898efc346d

      SHA1

      785ca48171fd02481769f46d504897f025f42d41

      SHA256

      67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

      SHA512

      7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

      Download Submit