Overview

overview

8

Static

static

58d0a48c59...db.exe

windows7-x64

8

58d0a48c59...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    175s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 16:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe

  • Size

    107KB

  • MD5

    96d80fc2389c7a9fdf25f9f9c517f460

  • SHA1

    5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

  • SHA256

    58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

  • SHA512

    9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

  • SSDEEP

    1536:L1aqsSj3jJBVZ8bFOfww7As050n1VO1oNlkMPwTIyMo+GPmKdk3duGiGvZCfkagI:53sSXv8bFOlAst1uS7SJtRyFjvov1

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe
    "C:\Users\Admin\AppData\Local\Temp\58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\SysWOW64\inf\svchosts.exe
      "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwias16_080422.dll tanlt88
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system\sgaspf080422.exe
          "C:\Windows\system\sgaspf080422.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17410 /prefetch:2
              6⤵
                PID:4296
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Windows\system\sgaspf080422.exe
            "C:\Windows\system\sgaspf080422.exe" i
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3880

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\inf\svchosts.exe
            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

            Download Submit

          • C:\Windows\SysWOW64\inf\svchosts.exe
            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

            Download Submit

          • C:\Windows\SysWOW64\lwias16_080422.dll
            Filesize

            29KB

            MD5

            2191d33e25b73ffc27703a238d59007f

            SHA1

            8e598c958bb401740dc82960bba60bfd41c94017

            SHA256

            3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

            SHA512

            9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

            Download Submit

          • C:\Windows\SysWOW64\lwias16_080422.dll
            Filesize

            29KB

            MD5

            2191d33e25b73ffc27703a238d59007f

            SHA1

            8e598c958bb401740dc82960bba60bfd41c94017

            SHA256

            3d6d281df8d98965a82ccef79dadc5a1246e561fcfd1ebf5a274432b63b86673

            SHA512

            9c2674c5b256b6e2fc590b5ab6ef00cb8887f54fd84b5f640f2dceb5f8fb452c0b7d3ba7c7cede057418d8c84298287e6d6f41efb57710c6db2babebf327e87f

            Download Submit

          • C:\Windows\SysWOW64\mwasys32_080422.dll
            Filesize

            214KB

            MD5

            6919dcc6806908842438e0f4361bae4b

            SHA1

            2d5d8e2c9941a9615529c0ee31110cd5f1f6ff6c

            SHA256

            e80b022725cf10a5ff20b29c473853006d52904ee6bfafa2ef8bc413c6f8b802

            SHA512

            54e80145a45211204307d649960a555c93982d38cde3ac6eb6bfd78f2c1f56579d33bd9a1527f16728bcd4796ca952595c005d52fa6f1ad643fae636f9b2e6d1

            Download Submit

          • C:\Windows\System\sgaspf080422.exe
            Filesize

            107KB

            MD5

            96d80fc2389c7a9fdf25f9f9c517f460

            SHA1

            5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

            SHA256

            58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

            SHA512

            9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

            Download Submit

          • C:\Windows\System\sgaspf080422.exe
            Filesize

            107KB

            MD5

            96d80fc2389c7a9fdf25f9f9c517f460

            SHA1

            5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

            SHA256

            58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

            SHA512

            9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            467B

            MD5

            8e37004bc96127f540b189e14d5bd062

            SHA1

            4e1c0a3d4d25e94b8bcfee5a932d6f0e824d73a7

            SHA256

            453271f6cf29ebd3590681138ec45b45641995e7140b81781483df92bbbc1bde

            SHA512

            a35dcd61824555ed75d148bedc1ffe2e4a1610fa3570bb0ff27f634c041198edc3aa1183ef008fb77c1589aca8498d2f8293c4a4c5653e0185d26e98ebfeefe1

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            365B

            MD5

            b7eaf0386f1fe7797ffb71f6874afb4c

            SHA1

            e56b1935c068f675ab920aee84b5f5a0212afa03

            SHA256

            980eeb04f5b8cf999904c54c742ebf50b9987ab9c4114b21ccb8c4ebe6233b84

            SHA512

            f250a1fceeefa69e48d281899ccaa3aeb1e67cd694376c8ae8f88e6165852b095dd4ca52358469ed9dee4e5eeb5311a2af28679d0ec8a08a32fa0b4808a21926

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            393B

            MD5

            d074aa9bd1d7bae05ab78c1a732617b3

            SHA1

            b4851e0043b12951de5ffa30b296292909b0facb

            SHA256

            0d662952c37fe276eb3f5863f639976cf328720d2e85afea6a21db9e54a2ef33

            SHA512

            240e2585cd33bc4db3cddf277c65dff871e13f01d56b1961b02fc048bf6c67c1fb936226d8fb02c53d0e31dc4591d4f4f44df68fe4424c58b104221d6e4aa28f

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            399B

            MD5

            bb506910c470076194394278dd91ab55

            SHA1

            65fb5a5f854e0b15cd2c8a55c7849a7640bfb8f5

            SHA256

            bbff10d797216c526b8c4c21d52ab5c3edb6f8512a727b42fe73c56b4be54162

            SHA512

            3f5b56a15c2e8518211628ed7501a6d4b6b2d90eed5da7d391a8c9a99a73f5a9afef9b74a9adc03569c69d2eb40fbc363530cdf9f08b336ee7e3584791a76cd8

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            432B

            MD5

            1c20c38d9a6b0e5f0fe93d20a3026a7e

            SHA1

            42ef421c7434d5480638103ad427b00e00197e55

            SHA256

            25fd851088517d25238e15ed1debeb9301a52a1d30cb2dd340c681e36d783086

            SHA512

            f2692adacdb134bd94f4ede85452cf220fc0f046d0d0c72d7543b5d7f12a90424e9e9cf65caa318d34f78aea3175173b753e971eecaf9db9432b49ded05b106e

            Download Submit

          • C:\Windows\pwisys.ini
            Filesize

            459B

            MD5

            6302e15320eb3dce22b6f99da550c3c7

            SHA1

            de06d1ec9e2bef791383dfe3e35ba3a7c76b2add

            SHA256

            48afa82c5d50ab44d0d3ba29232dd5b785fb1bf2194fde93f23113ecccb793a7

            SHA512

            6e524223d9a1d772ea26eb6c04e3f28503937e77dfbf0c4e9171dbe788732e1162e7d5efa9c74a598439be1111b2bf799e54c42ab036a424fa60cc9c90795b5b

            Download Submit

          • C:\Windows\system\sgaspf080422.exe
            Filesize

            107KB

            MD5

            96d80fc2389c7a9fdf25f9f9c517f460

            SHA1

            5b9ed94e4ace2a40f64e3c1278a88f90e5dc63c1

            SHA256

            58d0a48c59575a069412e69d2188432ef97a2d1018aaa657f707850f2cea00db

            SHA512

            9330fd2aae1cd879f7cd53a6294245c462af523d0efcb9289a5074e85dcf71ce0c5359577858e01965c2839f8280426196bc5eba3f20b3851bd0254381bebffb

            Download Submit

          • \??\c:\mylstecj.bat
            Filesize

            48B

            MD5

            0ebc61129834fd3c0139fad0797940cd

            SHA1

            6f522479c4c42cfc230c4a580ed158362669a7ba

            SHA256

            cbfc19baec9bdd98edce56aee2640c005a121ba8d13664d11640e08e1a2b6709

            SHA512

            41225473b86e1e68e577f9651fc8c409e462201602adb4a1c0b85aa876789bfc7da53b2dd551ec4e72666d4feb915f023afe42319b55fca60cf36916ba53371c

            Download Submit

          • \??\c:\mylstecj.bat
            Filesize

            48B

            MD5

            0ebc61129834fd3c0139fad0797940cd

            SHA1

            6f522479c4c42cfc230c4a580ed158362669a7ba

            SHA256

            cbfc19baec9bdd98edce56aee2640c005a121ba8d13664d11640e08e1a2b6709

            SHA512

            41225473b86e1e68e577f9651fc8c409e462201602adb4a1c0b85aa876789bfc7da53b2dd551ec4e72666d4feb915f023afe42319b55fca60cf36916ba53371c

            Download Submit