Overview

overview

7

Static

static

64735a1cf9...89.exe

windows7-x64

7

64735a1cf9...89.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2022, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe

  • Size

    30KB

  • MD5

    72fc2816c0706df8b4cf6d6527705400

  • SHA1

    94bc7e140d064d679ddbeafc9fc1b07243fa2731

  • SHA256

    64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389

  • SHA512

    74704dc890cca37dcbf60057a4370c3590131f36117cab92c51ad95e8dec193f6f9bb102584be63b1506c8e5328eb1075f930dd845d2c8a9a88f9b324fadb9d6

  • SSDEEP

    768:bLt9cVrFuxrzrldoAk26gGue3wU+H8ZCD:bJcRyrldpx3Gu2SH8ZCD

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Modifies WinLogon 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe
    "C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:204
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gosB124.bat"
      2⤵
        PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat"
        2⤵
          PID:1584

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat
        Filesize

        361B

        MD5

        e20478d2f9706857c8ac68db7e1a4c0a

        SHA1

        ebed4cd0b53eaa1e83a49ed134f3fcbe9b18218b

        SHA256

        67100b03f75bf2d47502543130490c4637fa19539d850978e446ae754c3de4b9

        SHA512

        f8d7bb416098d743d1662fa6a7ce4bc3f6c4d556b10a37ea79661bd98794208ad1d7018d49691e7cdd7daa2d1ccafd42b5f52efa5ffa03182411784c9825028b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gosB124.bat
        Filesize

        190B

        MD5

        d5aa909febed58df9567011579e4977d

        SHA1

        f1866a380521131044f26c16404033d6252fde5b

        SHA256

        d4bfc234688e0880b2621b3eac81597e8616d7ca7832b35f3cb5f6bb5ce6f176

        SHA512

        da80c4d19db5f1750f58c4c35dfc490cc258e3498fa84dc51a4d233b15043911009576b0734337f495c899e92c85faec1ec43fb366ca75a749ba1b1072a895c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gosB124.tmp
        Filesize

        21KB

        MD5

        3ce3efca63544003a973d95a16470d8c

        SHA1

        2a2b1df082f0aabe3f6323a79f480be85866c2a6

        SHA256

        40d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f

        SHA512

        2aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gosB124.tmp
        Filesize

        21KB

        MD5

        3ce3efca63544003a973d95a16470d8c

        SHA1

        2a2b1df082f0aabe3f6323a79f480be85866c2a6

        SHA256

        40d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f

        SHA512

        2aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2

        Download Submit

      • memory/2428-141-0x0000000000030000-0x0000000000035000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2428-137-0x0000000002030000-0x0000000002035000-memory.dmp

        Filesize

        20KB

        Download

      • memory/2428-140-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2428-132-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2428-136-0x0000000010000000-0x0000000010010000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-133-0x0000000000030000-0x0000000000035000-memory.dmp

        Filesize

        20KB

        Download