Overview

overview

8

Static

static

38513b57c6...ef.exe

windows7-x64

8

38513b57c6...ef.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38513b57c6a50f46e20d6db31c1f1a2e16052a2e800decf0a78296a4b8b0deef.exe

  • Size

    627KB

  • MD5

    76259cd43050a68399c426b9dfc882f0

  • SHA1

    ae4562712b55a83a09028ff36bbb6ec639422fb7

  • SHA256

    38513b57c6a50f46e20d6db31c1f1a2e16052a2e800decf0a78296a4b8b0deef

  • SHA512

    a220777361559e6e14d354f398ed8a3e1b924cfb5f9ee8df65e17240bb9e2664942da771453b73871d195be3b9858faf873c405c10b7e022c5c27da7e53508b4

  • SSDEEP

    12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38513b57c6a50f46e20d6db31c1f1a2e16052a2e800decf0a78296a4b8b0deef.exe
    "C:\Users\Admin\AppData\Local\Temp\38513b57c6a50f46e20d6db31c1f1a2e16052a2e800decf0a78296a4b8b0deef.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Users\Admin\AppData\Local\Temp\kezuxeu.exe
      C:\Users\Admin\AppData\Local\Temp\kezuxeu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp
        C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp OK
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Users\Admin\AppData\Local\Temp\iqheqof.exe
          "C:\Users\Admin\AppData\Local\Temp\iqheqof.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
      2⤵
        PID:5116

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
      Filesize

      341B

      MD5

      ee17c304ed0f8686f11710f5662892a6

      SHA1

      f863bab2b7faf4443b08a9be230245e289432be0

      SHA256

      3c3fa3cb182f2e1a5c2ab166ee57c882d64baa18445ac65734593bc6595a507b

      SHA512

      de03931f353765eb53d099cb08703e8ce347cb48d8191e48825e4eaa14b4acc42c95d2c7d8843a41479afffa570d6239a789484cd2c9b315cf890d8944560f6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gbp.ini
      Filesize

      104B

      MD5

      86bb2dbeaef655893262f3c041f6afe2

      SHA1

      1b26ff1241c1353bd506c18bd0c11878076ba65d

      SHA256

      4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

      SHA512

      58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      480B

      MD5

      b5b4a02f4ba279807a2a44ee461adc2d

      SHA1

      b7e8881a7207c0f05523299f544e6c74eb29eff6

      SHA256

      46be4fa725913be6c8f2ec9c71f3e8d15a7a68ed2566b0ca6edb19ce7622e452

      SHA512

      fb7b43b0862eeb416327db404f152a6e029059163f18877cd3c4fb698ac250858bb037e6dec8ca61afffac0d2b508bfb9939107f79feeeb2f670ee0deb54da50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\iqheqof.exe
      Filesize

      403KB

      MD5

      750a271806bfacae5cd51c8060a4f081

      SHA1

      5db576eae54278584155298d241cd9e83ad12b22

      SHA256

      ef579bee7324fff339a6d8c30449b5a5c846072eb5379ee191fb08a6fa951500

      SHA512

      9c2b7be897519336a67501fdc3c30f4ad3c33cafca4316fa3a31dff3700fd4a056f0262b320353061ede95b9acf81c107e77d80bf2ae61a53d47758eb78b80e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\iqheqof.exe
      Filesize

      403KB

      MD5

      750a271806bfacae5cd51c8060a4f081

      SHA1

      5db576eae54278584155298d241cd9e83ad12b22

      SHA256

      ef579bee7324fff339a6d8c30449b5a5c846072eb5379ee191fb08a6fa951500

      SHA512

      9c2b7be897519336a67501fdc3c30f4ad3c33cafca4316fa3a31dff3700fd4a056f0262b320353061ede95b9acf81c107e77d80bf2ae61a53d47758eb78b80e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kezuxeu.exe
      Filesize

      630KB

      MD5

      e6678958ad0a1f894a1d73fc7a34ac70

      SHA1

      0e57e1482559d658ffc8ee5c929091e5cfbcb488

      SHA256

      0102fed86acd2e687574c395f65e78cb356cc87340997cd04f5da7e9232b5b31

      SHA512

      485863881e16726d878f548c140ba71b123a375971afcc0ade85fcc32461ad8d62a65eb2ab04be3edd20ac0d783075f13526a2884decb24f3eda43f79d79f3a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kezuxeu.exe
      Filesize

      630KB

      MD5

      e6678958ad0a1f894a1d73fc7a34ac70

      SHA1

      0e57e1482559d658ffc8ee5c929091e5cfbcb488

      SHA256

      0102fed86acd2e687574c395f65e78cb356cc87340997cd04f5da7e9232b5b31

      SHA512

      485863881e16726d878f548c140ba71b123a375971afcc0ade85fcc32461ad8d62a65eb2ab04be3edd20ac0d783075f13526a2884decb24f3eda43f79d79f3a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp
      Filesize

      634KB

      MD5

      c855401555d8bcde5922e1e0a1b98745

      SHA1

      b95e76fd78856f5a46447823d7571d5d899c16da

      SHA256

      86f2c1c5471f3fa17fd10c01d227c07238dda38fe5905d5cc677bdecf9a78646

      SHA512

      74c08101858f372b083265c513a787fbc4e0e6a3a6539fd0748423e71c854ee394f8aae99afd8f04e8ea58d44a8d0033f4bd195c4b6e8fd59ef49fe7f461f72e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFA233.tmp
      Filesize

      634KB

      MD5

      c855401555d8bcde5922e1e0a1b98745

      SHA1

      b95e76fd78856f5a46447823d7571d5d899c16da

      SHA256

      86f2c1c5471f3fa17fd10c01d227c07238dda38fe5905d5cc677bdecf9a78646

      SHA512

      74c08101858f372b083265c513a787fbc4e0e6a3a6539fd0748423e71c854ee394f8aae99afd8f04e8ea58d44a8d0033f4bd195c4b6e8fd59ef49fe7f461f72e

      Download Submit

    • memory/928-150-0x0000000000400000-0x000000000053E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/928-152-0x0000000000400000-0x000000000053E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3268-132-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3268-143-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3552-137-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3552-144-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4896-146-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4896-141-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download