Overview

overview

7

Static

static

b547d185a9...8f.exe

windows7-x64

3

b547d185a9...8f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 21:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b547d185a98041ba8dd24383c3c989c81d040c590ae1d5175240644c438d658f.exe

  • Size

    915KB

  • MD5

    0d614a0712ec6573a26f5ebe115015e0

  • SHA1

    05c1e378ed1f28150e7d02cd02309c2c8b946609

  • SHA256

    b547d185a98041ba8dd24383c3c989c81d040c590ae1d5175240644c438d658f

  • SHA512

    9cbfd8120b93272202199b1f12556809f874cc405027229d9b68ade8f555434b7c9f4f9e116b9942fd1d454197517ef422200ef206f69f539276be58460fe461

  • SSDEEP

    24576:pWbwe8k1lPLTODATNWdXj+c8kIqBssI5:w8k/PLTODCeKcdBu5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b547d185a98041ba8dd24383c3c989c81d040c590ae1d5175240644c438d658f.exe
    "C:\Users\Admin\AppData\Local\Temp\b547d185a98041ba8dd24383c3c989c81d040c590ae1d5175240644c438d658f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        3⤵
          PID:548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
      Filesize

      358B

      MD5

      7d9289c228c74e58eb4ae7e29cfb73f5

      SHA1

      654fb15e15c416ef3e72dc19095eb394333bc0dd

      SHA256

      a52a1f76afd0d5b8af2226733dac2c3f5fdda6b0f734bf2a24bfbc54587fb0ba

      SHA512

      153bd606cacc79673190cffc9d8310100979bc9e06b2d7c42a900d3c4c5edc6ca754f7d3108d86825de66e11106dcb4a4d60e91391e633f34b1b2ca2a44bfbc4

      Download Submit

    • memory/2540-132-0x0000000000400000-0x00000000006B0000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2540-134-0x0000000000400000-0x00000000006B0000-memory.dmp

      Filesize

      2.7MB

      Download