Overview

overview

7

Static

static

eda70e211c...55.exe

windows7-x64

1

eda70e211c...55.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 00:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eda70e211c1ef0c9d688225093b8de95e87c30386f2882676155931105cdcd55.exe

  • Size

    917KB

  • MD5

    625f06e25e3633ef1daadec223db7fe0

  • SHA1

    17231a9fb7cf1c75129d6a0cad1e81aab2c153d4

  • SHA256

    eda70e211c1ef0c9d688225093b8de95e87c30386f2882676155931105cdcd55

  • SHA512

    ffdeef4801ded5d9dab0ce3df4a4ca8d8425da480568c7d95642703c776fd1abd2210fa8c14a2d81c8472a00ff66caef17d4616b25ddc0049bf9586b7c2a52d4

  • SSDEEP

    24576:IrRoNk7BZpaqUp9EYivfqvCFvhVBBw8Sw+UtR4xB04O:IrRokp+PSFJ3BXyU74s

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eda70e211c1ef0c9d688225093b8de95e87c30386f2882676155931105cdcd55.exe
    "C:\Users\Admin\AppData\Local\Temp\eda70e211c1ef0c9d688225093b8de95e87c30386f2882676155931105cdcd55.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        3⤵
          PID:1548

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
            Filesize

            358B

            MD5

            39b4e37898ec48222d6651eeb8cab6d8

            SHA1

            408ddc22b3b0285d4afde4229c2ee69f121e1241

            SHA256

            df87d368d1c5112dcbc41b436c377acd6b7ca8c3658ed16f0c4a2d45fb2d65ad

            SHA512

            cb55e08758f5eae5d6086068103de754d5c507ecf9ac8821df93025bfd0803cdde16d38cb2badc8cd132e40240baf29cb58bf46dc1c94c1d369e49b9a4c190d3

            Download Submit

          • memory/2204-132-0x0000000000400000-0x00000000006B3000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/2204-133-0x0000000000400000-0x00000000006B3000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/2204-135-0x0000000000400000-0x00000000006B3000-memory.dmp

            Filesize

            2.7MB

            Download