Overview

overview

7

Static

static

9ec63c2579...52.exe

windows7-x64

7

9ec63c2579...52.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    101s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2022, 19:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9ec63c25795c38d985510e81cce78252.exe

  • Size

    2.0MB

  • MD5

    9ec63c25795c38d985510e81cce78252

  • SHA1

    46d59d088bbc617fc1cc4d364f28f754ae3f6338

  • SHA256

    f46ade4fe12048babf7950ffeca4678809629af3710e538918029b4f2a904aa7

  • SHA512

    9ea2e1ec031531785cfd1930ce8fe6f302218794358b23d2077c0bb042e6c65a9ac031f5fd94162d3017b764b8aa2281b5053c202bafcd9ddc0eba7e3c1a54cc

  • SSDEEP

    49152:HYJthRHvTf38wdV7THvvF40zX3PzjYrCAn+Y:HYvh2iV7zvFnYrCA+Y

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ec63c25795c38d985510e81cce78252.exe
    "C:\Users\Admin\AppData\Local\Temp\9ec63c25795c38d985510e81cce78252.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" PBOGMwS.FQe /s
      2⤵
      • Loads dropped DLL
      PID:1532

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\PBOGMwS.FQe
          Filesize

          1.6MB

          MD5

          979c4b6399c342b0c862018dd887e89a

          SHA1

          9f27ccf7b2e8e48ffd54c58aa0bbc246df8e398e

          SHA256

          6dd4ae355acbd54256a2a168c25cdf1c4b23837fa853ab3307370191a903874c

          SHA512

          a00efb89a1b4bdc2ecf4467ccd162f903e1fa13b3a98bc9b1b5c13d17fc411fdf37640a21da691e7abcb7ace893af6d32d609a9fcaf9bf5b42e645ef8c531bc1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\pbogMws.fqe
          Filesize

          1.6MB

          MD5

          979c4b6399c342b0c862018dd887e89a

          SHA1

          9f27ccf7b2e8e48ffd54c58aa0bbc246df8e398e

          SHA256

          6dd4ae355acbd54256a2a168c25cdf1c4b23837fa853ab3307370191a903874c

          SHA512

          a00efb89a1b4bdc2ecf4467ccd162f903e1fa13b3a98bc9b1b5c13d17fc411fdf37640a21da691e7abcb7ace893af6d32d609a9fcaf9bf5b42e645ef8c531bc1

          Download Submit

        • memory/1532-135-0x0000000002970000-0x0000000002AB1000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1532-136-0x0000000002C00000-0x0000000002D3E000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1532-137-0x0000000002D40000-0x0000000002E07000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1532-139-0x0000000002E10000-0x0000000002EC3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1532-138-0x0000000002E10000-0x0000000002EC3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1532-141-0x0000000002C00000-0x0000000002D3E000-memory.dmp

          Filesize

          1.2MB

          Download