Overview

overview

8

Static

static

21e7c7759a...2c.exe

windows7-x64

8

21e7c7759a...2c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    181s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe

  • Size

    74KB

  • MD5

    c1b46bf9654a5febe9095ce5bb591b39

  • SHA1

    e94124a662f8c492a097cee840c6130ac8539372

  • SHA256

    21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c

  • SHA512

    de23ed4448a3f665a5a52f727000c0a7e5a775a74d20bf60add3019248ac92777d9bed37f4bdd8ce79c150d97c9d3d043fdfed0865dabf72018dc7d54118bbdd

  • SSDEEP

    768:uVOHR6dyI0hkKH07P4XUNoPNnREquHcbbbbxNnREquHcbbbbaw:tCn4ENyNiKbbbbxNiKbbbb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe
    "C:\Users\Admin\AppData\Local\Temp\21e7c7759adc4d5968c0979bb623e7362ee1deaa7acd36ee02e75473a8cee82c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
      "C:\Users\Admin\AppData\Local\Temp\ahyguys.exe"
      2⤵
      • Executes dropped EXE
      PID:4152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ahyguys.exe
    Filesize

    74KB

    MD5

    4fd262238957f368899384a712fdea66

    SHA1

    a154f9c06a71eb515863aa27b5c4128c2ca386db

    SHA256

    37d41fa4d73ef0d245692642b70ef164966e8b2960f82952423f213a29d93daf

    SHA512

    47fa6d61942c25c2c5dc53ac71ce128016010c9ff19e1c4a8973321f7faa5941b4df5b259ee23a476b62173d62bd2c51d09e6f744d7b7f1e025f2f9d44bfaaa9

    Download Submit

  • memory/1716-132-0x0000000002290000-0x00000000022B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1716-133-0x0000000000400000-0x00000000004253F0-memory.dmp

    Filesize

    148KB

    Download