Overview

overview

8

Static

static

cdc2d7e41e...02.exe

windows7-x64

8

cdc2d7e41e...02.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02.exe

  • Size

    47KB

  • MD5

    69c6156e3462c9693517805ea434dc70

  • SHA1

    51cb1e46237aab3806ab64ece3ecb9f64056913e

  • SHA256

    cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02

  • SHA512

    3393acf14b1e32a471bc043224ef238a9ff05eba908eefe18c27459aeb301a145ae463d63f9ae0d05f444a330bb824dca29451f06d0147e70b91e37b2a2b2eb1

  • SSDEEP

    768:F1vhyXmgkUeDg0nsF8+k+MiT3Quo2Qc/UpQt07d21a1XTvF7llPwZ:F1vhyX5kHaoNrpQt07k1sXxJl

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02.exe
    "C:\Users\Admin\AppData\Local\Temp\cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CDC2D7~1.EXE > nul
      2⤵
        PID:4668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CDC2D7~1.EXE > nul
        2⤵
          PID:4680
      • C:\Windows\qiqaiy.exe
        C:\Windows\qiqaiy.exe
        1⤵
        • Executes dropped EXE
        PID:4860

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\qiqaiy.exe
        Filesize

        47KB

        MD5

        69c6156e3462c9693517805ea434dc70

        SHA1

        51cb1e46237aab3806ab64ece3ecb9f64056913e

        SHA256

        cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02

        SHA512

        3393acf14b1e32a471bc043224ef238a9ff05eba908eefe18c27459aeb301a145ae463d63f9ae0d05f444a330bb824dca29451f06d0147e70b91e37b2a2b2eb1

        Download Submit

      • C:\Windows\qiqaiy.exe
        Filesize

        47KB

        MD5

        69c6156e3462c9693517805ea434dc70

        SHA1

        51cb1e46237aab3806ab64ece3ecb9f64056913e

        SHA256

        cdc2d7e41ef180254fb121672f4012a734a50edc1e88a9a3d822c42b73a71e02

        SHA512

        3393acf14b1e32a471bc043224ef238a9ff05eba908eefe18c27459aeb301a145ae463d63f9ae0d05f444a330bb824dca29451f06d0147e70b91e37b2a2b2eb1

        Download Submit