Overview

overview

8

Static

static

795da4b9f7...bc.exe

windows7-x64

8

795da4b9f7...bc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe

  • Size

    621KB

  • MD5

    a11a246b267a89800f56acd21ad32ee0

  • SHA1

    cad716bf39d42de0992a81993f7a61f7d2ca0301

  • SHA256

    795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc

  • SHA512

    d47a4322518cff8980454b797b282a3cc420fbf3d889b9b60713ab34f57d2ed821db29ac75ee6d8b5a33009c2962e6e948868e61b2087519daa0f2ed9b3aef3f

  • SSDEEP

    12288:WMtPB1HbMPXAktKhILTR7/3zNo4nQRQq5rC1ALp2eiFLRHYHGz:FtHAPXAvQ7rbnQRQuOyLU7TOGz

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe
    "C:\Users\Admin\AppData\Local\Temp\795da4b9f798971e5e9c6784199c2993b9506d02b1419ebad7a81391cb6ddbbc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\dofhir.exe
      "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
      2⤵
      • Executes dropped EXE
      PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
        PID:664

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dofhir.exe
      Filesize

      621KB

      MD5

      8df5b0d7c45d4d6ee58a7f86bc52d688

      SHA1

      d4790654355561d217b5225325b4ce466632baa4

      SHA256

      71b2dc599321d96756f28a2c3763623b6e6b300859d61f8349aea3aa57b59426

      SHA512

      8c66c24e27ae4dd3fdb8de4832372ee48b9592fc1ebf86b1d47326d6149e18232e2f3433a13b7a4af75e44147aafec37787d803abc62b980efe3645395916579

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dofhir.exe
      Filesize

      621KB

      MD5

      8df5b0d7c45d4d6ee58a7f86bc52d688

      SHA1

      d4790654355561d217b5225325b4ce466632baa4

      SHA256

      71b2dc599321d96756f28a2c3763623b6e6b300859d61f8349aea3aa57b59426

      SHA512

      8c66c24e27ae4dd3fdb8de4832372ee48b9592fc1ebf86b1d47326d6149e18232e2f3433a13b7a4af75e44147aafec37787d803abc62b980efe3645395916579

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      64bd6ce7bbf11d281db681ed92eef333

      SHA1

      2034da53aac1d1bb31412abd3374518956556beb

      SHA256

      f6ac51f63e05e0c1e484b9a0df249ea47e6db7e72b603191235b19fb486a0efe

      SHA512

      5063a264be28eab5fdae7684427cf23fe80d79d14305f516c41871422daefd8a9b39bc715098bb955b623514f0c0781b0d8b516e0bf0f0ef8c6c7736b106ba26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
      Filesize

      338B

      MD5

      90e51814b9824c62b49397aad2bc3a2b

      SHA1

      860402f4638d1d34cfb12b14e4a30a3bb2516e2d

      SHA256

      0852d1988590820318bbcffffd3fb06e24d2220f8d5f11508fe51fadafe0ef8b

      SHA512

      fc1b4f5f4924c9756744bf4a105b47bda69dc0bd7c49fdb2e68ff8d0c10f95517587553ac647319d92f2f14f39b3a9d161e3d88163068a7c491e08477f81f921

      Download Submit

    • memory/2548-139-0x0000000000130000-0x000000000036A000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2548-141-0x0000000000130000-0x000000000036A000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/2548-142-0x0000000000130000-0x000000000036A000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4504-132-0x0000000000F50000-0x000000000118A000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4504-137-0x0000000000F50000-0x000000000118A000-memory.dmp

      Filesize

      2.2MB

      Download