Overview

overview

8

Static

static

1

89cc0118e8...eb.exe

windows7-x64

8

89cc0118e8...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe

  • Size

    564KB

  • MD5

    83289a0e448e6c43d4ee5984524525e8

  • SHA1

    472e1dac4ff9be110c040a5c76a72e12929ec37a

  • SHA256

    89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb

  • SHA512

    777b7aad35a53b544237ffd6c84e059069e32fc0dbdb815dbbe5c10eefc04b0f5b9ff9cd9460478ec2e2e1d50e9d952a3757e8abc99d40090c01416d6f117000

  • SSDEEP

    12288:u+MDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0Uq:utplNFgxG5eZngb0p

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe
    "C:\Users\Admin\AppData\Local\Temp\89cc0118e8523f29185f25c5aba53f907151dae7b5d54df289352c11137f88eb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"
        3⤵
          PID:1476
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\1.vbs"
          3⤵
            PID:2068
        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4748
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2404
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
            3⤵
              PID:2256

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
          Filesize

          35KB

          MD5

          08f52a4ccd01913b9a9691093a64366f

          SHA1

          e44c6620b4107a0f55e89f632c007a9a1ec88119

          SHA256

          85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

          SHA512

          d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

          Download Submit

        • C:\newsetup.vbs
          Filesize

          631B

          MD5

          5e2c0c26e344eeae4304c9bb561ea89b

          SHA1

          4664f9d0f582ab586ab197515aa45499eb18db41

          SHA256

          f74ed58e1ff45165abf943ff0364fff8e5d873b9051ccba0da940399fbd8aac3

          SHA512

          4aa5f6d5c35160470f99808dab9a68f826e726eae0b7f536e71665b978d72502faf971c4f9f2a9a792b3aca04736c9c97d633da7b34b50dbd3831dcb67284d97

          Download Submit

        • memory/4840-140-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/4840-145-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download