Overview

overview

8

Static

static

ceaeb5383e...78.exe

windows7-x64

8

ceaeb5383e...78.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2022 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceaeb5383e6c0589de9a73e409896478.exe

  • Size

    424KB

  • MD5

    ceaeb5383e6c0589de9a73e409896478

  • SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

  • SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

  • SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

  • SSDEEP

    12288:kTjrxyMe1PKMK/lGRgOUqmq9kR6lhKXZ4juje8y:+j4fPKMK/cRgOnmq9g66GUe8y

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceaeb5383e6c0589de9a73e409896478.exe
    "C:\Users\Admin\AppData\Local\Temp\ceaeb5383e6c0589de9a73e409896478.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelGAS1.4.3.6." /TR "C:\ProgramData\IntelToolSkits\IntelGAS-Ver1.4.3.6.exe" /SC MINUTE
      2⤵
      • Creates scheduled task(s)
      PID:3416
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:2512
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:2964
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\IntelToolSkits" /inheritance:e /deny "adMnepoxyFEYWGOLmin:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:2332
  • C:\ProgramData\IntelToolSkits\IntelGAS-Ver1.4.3.6.exe
    C:\ProgramData\IntelToolSkits\IntelGAS-Ver1.4.3.6.exe
    1⤵
    • Executes dropped EXE
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\IntelToolSkits\IntelGAS-Ver1.4.3.6.exe
    Filesize

    424KB

    MD5

    ceaeb5383e6c0589de9a73e409896478

    SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

    SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

    SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

    Download Submit

  • C:\ProgramData\IntelToolSkits\IntelGAS-Ver1.4.3.6.exe
    Filesize

    424KB

    MD5

    ceaeb5383e6c0589de9a73e409896478

    SHA1

    4cabab69582fa3fb2e131ec4d84ba41e70b2919b

    SHA256

    21659f7b55d30fd92b976f7eff8fc635d3e536926536ffeee79364afa68b77e9

    SHA512

    cde384735bdc0c8d259d506bf6e229bbf7b7974b06fdadfe9734d9d8de3dc3852558cc92e868cd1c2b7b04b0961d1ca8ba1b166314a7a6cfdced0ef176e9e5c7

    Download Submit

  • memory/1484-142-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1484-143-0x0000000002170000-0x00000000021D0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/5116-132-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/5116-133-0x0000000002270000-0x00000000022D0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/5116-139-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/5116-140-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download