Overview

overview

8

Static

static

Trojan-Ran...er.exe

windows7-x64

8

Trojan-Ran...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Blocker.exe

  • Size

    191KB

  • MD5

    dca30ed8ed2e1b0cd9e33d5a5f069d41

  • SHA1

    aed616497015c68305b45d5914125456266d8a56

  • SHA256

    a1397e04e67079d8efba3da04abed1cefb81a819f7c0d5bc9083f10605301e8e

  • SHA512

    6a7b6f3480bdc694d764cda9dfae1763490dbd309af508df582e2a9860eafa6b932681342ee7a7537204265cceaa0ea69188afc8d7559035a2c2f7f92555e1e9

  • SSDEEP

    3072:tJ1eo3Qj+8NhvDtQiJNXs3vXCT8uzl8PcRZzFPk2I111KYiI1Uk1g:kg8Nds3vSTHlJHMziy1

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        3⤵
        • Adds policy Run key to start application
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:3232
    • C:\Users\Admin\Music\fixmapi.exe
      "C:\Users\Admin\Music\fixmapi.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Users\Admin\Music\wdmaud.exe
        "C:\Users\Admin\Music\wdmaud.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          4⤵
          • Maps connected drives based on registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            5⤵
            • Drops file in Windows directory
            PID:2308
        • C:\Users\Admin\Music\fixmapi.exe
          "C:\Users\Admin\Music\fixmapi.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fixmapi.exe.log
    Filesize

    224B

    MD5

    c19eb8c8e7a40e6b987f9d2ee952996e

    SHA1

    6fc3049855bc9100643e162511673c6df0f28bfb

    SHA256

    677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

    SHA512

    860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

    Download Submit

  • C:\Users\Admin\Music\fixmapi.exe
    Filesize

    16KB

    MD5

    4ec62b0699655eb20fd214eec15c51ab

    SHA1

    f6cfe1fa8e24075108a366b4221363a237d49612

    SHA256

    188458191d34e71ba6c626cab667ea82c6e2bad7f4c42303be19b97aaf7e84d5

    SHA512

    041191306ac832856b39731cd0f3730b6b8a16eb79d389b2886232371d304e58f8a6a07aee73ad9ad35f079f3838fe3507ad1f7355ca034a504edcffc29fb329

    Download Submit

  • C:\Users\Admin\Music\fixmapi.exe
    Filesize

    16KB

    MD5

    4ec62b0699655eb20fd214eec15c51ab

    SHA1

    f6cfe1fa8e24075108a366b4221363a237d49612

    SHA256

    188458191d34e71ba6c626cab667ea82c6e2bad7f4c42303be19b97aaf7e84d5

    SHA512

    041191306ac832856b39731cd0f3730b6b8a16eb79d389b2886232371d304e58f8a6a07aee73ad9ad35f079f3838fe3507ad1f7355ca034a504edcffc29fb329

    Download Submit

  • C:\Users\Admin\Music\fixmapi.exe
    Filesize

    16KB

    MD5

    4ec62b0699655eb20fd214eec15c51ab

    SHA1

    f6cfe1fa8e24075108a366b4221363a237d49612

    SHA256

    188458191d34e71ba6c626cab667ea82c6e2bad7f4c42303be19b97aaf7e84d5

    SHA512

    041191306ac832856b39731cd0f3730b6b8a16eb79d389b2886232371d304e58f8a6a07aee73ad9ad35f079f3838fe3507ad1f7355ca034a504edcffc29fb329

    Download Submit

  • C:\Users\Admin\Music\fixmapi.exe
    Filesize

    16KB

    MD5

    4ec62b0699655eb20fd214eec15c51ab

    SHA1

    f6cfe1fa8e24075108a366b4221363a237d49612

    SHA256

    188458191d34e71ba6c626cab667ea82c6e2bad7f4c42303be19b97aaf7e84d5

    SHA512

    041191306ac832856b39731cd0f3730b6b8a16eb79d389b2886232371d304e58f8a6a07aee73ad9ad35f079f3838fe3507ad1f7355ca034a504edcffc29fb329

    Download Submit

  • C:\Users\Admin\Music\wdmaud.exe
    Filesize

    191KB

    MD5

    dca30ed8ed2e1b0cd9e33d5a5f069d41

    SHA1

    aed616497015c68305b45d5914125456266d8a56

    SHA256

    a1397e04e67079d8efba3da04abed1cefb81a819f7c0d5bc9083f10605301e8e

    SHA512

    6a7b6f3480bdc694d764cda9dfae1763490dbd309af508df582e2a9860eafa6b932681342ee7a7537204265cceaa0ea69188afc8d7559035a2c2f7f92555e1e9

    Download Submit

  • C:\Users\Admin\Music\wdmaud.exe
    Filesize

    191KB

    MD5

    dca30ed8ed2e1b0cd9e33d5a5f069d41

    SHA1

    aed616497015c68305b45d5914125456266d8a56

    SHA256

    a1397e04e67079d8efba3da04abed1cefb81a819f7c0d5bc9083f10605301e8e

    SHA512

    6a7b6f3480bdc694d764cda9dfae1763490dbd309af508df582e2a9860eafa6b932681342ee7a7537204265cceaa0ea69188afc8d7559035a2c2f7f92555e1e9

    Download Submit

  • memory/680-155-0x0000000000000000-mapping.dmp

    Download

  • memory/680-163-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/680-159-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-152-0x0000000000000000-mapping.dmp

    Download

  • memory/2308-162-0x0000000000E10000-0x0000000000E15000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2308-154-0x0000000000000000-mapping.dmp

    Download

  • memory/2308-161-0x0000000000E10000-0x0000000000E15000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2308-160-0x0000000000080000-0x000000000008E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3232-138-0x0000000000080000-0x000000000008E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3232-143-0x0000000000D20000-0x0000000000D25000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3232-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3232-137-0x0000000000D20000-0x0000000000D25000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4056-146-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4056-150-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4056-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4056-142-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4424-135-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4424-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4512-151-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4512-133-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4512-132-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5032-149-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5032-148-0x0000000074AD0000-0x0000000075081000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5032-145-0x0000000000000000-mapping.dmp

    Download