Overview

overview

8

Static

static

fe375ad64c...4d.exe

windows7-x64

8

fe375ad64c...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 12:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fe375ad64cf4a2e0b5ff6861fde06eb052186c4f2af494df4f7ba24d601c834d.exe

  • Size

    369KB

  • MD5

    6cfb480fbb8f5f6f4f1eaf5b3fd3ccf0

  • SHA1

    d40cf05c128b80d8553732962475ab68620a8132

  • SHA256

    fe375ad64cf4a2e0b5ff6861fde06eb052186c4f2af494df4f7ba24d601c834d

  • SHA512

    3b1a8e18fdc42e76a5f124b7c375fd1a3c55d3c8fc362d7c006e094188043e69047f8a2b8ab674ae1bcfe8b676e871e7ef20ec21048d9759263b7f845bc3518b

  • SSDEEP

    6144:mWwMnudcfjjyX0A2zgIBcpRM7ERG1QvUTkOSOHvjRpO34F9wqS5ISC+wxE6fBnCD:ruGfjjyXIBf7EoPkTOHvjGoF9wqS5Zlb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe375ad64cf4a2e0b5ff6861fde06eb052186c4f2af494df4f7ba24d601c834d.exe
    "C:\Users\Admin\AppData\Local\Temp\fe375ad64cf4a2e0b5ff6861fde06eb052186c4f2af494df4f7ba24d601c834d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Users\Admin\AppData\Local\Temp\lqbzse.exe
      "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C ping.exe 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:488
        • C:\Windows\SysWOW64\PING.EXE
          ping.exe 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2832

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lqbzse.exe
          Filesize

          89KB

          MD5

          39908889662cc31f41e82a1638927392

          SHA1

          07f68d13e730e4c43c79b939b9da441d19308b58

          SHA256

          e8004f7445438f9c3310c31e7a506be625d91be54bf5ddd775eb62e6997c6f5e

          SHA512

          9d0d386396adcc589f404571e53167e981c0bd2650e51eaa3eb35a08ec3c99781ef98b71eb4c7b5da4dbd23e6cc80673b12181bd805ad3036f3acda06909d982

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lqbzse.exe
          Filesize

          89KB

          MD5

          39908889662cc31f41e82a1638927392

          SHA1

          07f68d13e730e4c43c79b939b9da441d19308b58

          SHA256

          e8004f7445438f9c3310c31e7a506be625d91be54bf5ddd775eb62e6997c6f5e

          SHA512

          9d0d386396adcc589f404571e53167e981c0bd2650e51eaa3eb35a08ec3c99781ef98b71eb4c7b5da4dbd23e6cc80673b12181bd805ad3036f3acda06909d982

          Download Submit