Overview

overview

10

Static

static

8

4670a73ccb...eb.exe

windows7-x64

10

4670a73ccb...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe

  • Size

    473KB

  • MD5

    05734ec77bf7ff49ab33faa9ea9241f7

  • SHA1

    3650464a2f997b9530c129d6f1420ab8b4f5bebd

  • SHA256

    4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

  • SHA512

    6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

  • SSDEEP

    12288:jnNhuBoY8SorxgmA+nlvVlg2qn1G3GWVxWu:jPatCg7EPGn1G3GWVMu

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe
    "C:\Users\Admin\AppData\Local\Temp\4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\csrcs.exe
      "C:\Windows\System32\csrcs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2436
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 -w 250 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\suicide.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 5 -w 250 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\suicide.bat
    Filesize

    141B

    MD5

    9d7ddbc6c331aefed77908f803fca1e5

    SHA1

    d36afa796236730342b216f083c68a39227c13bf

    SHA256

    19f0453504f36aef7d207f11345ed203440a3a8dd1594df1aa072b2f4eeb39bf

    SHA512

    014c7cb15ec0bfc96e1f5b5a66b0bba9b87440256d0e8d9106cef8c4d2f1d244a3063a7abb847957310b2e0c9db466291851d7bb2ff8e6b50e0b9ad907b9b54c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\suicide.bat
    Filesize

    287B

    MD5

    81a4b977163fca252ff5731254c3706a

    SHA1

    bf37a1336c67da451cf2e36d6e08b5e86503e750

    SHA256

    48bbcb7416a5385897819953ed12bdc9676d325aeddf8b1e10f69a74ace0c824

    SHA512

    a99d94f0b113ededcf2f41f029da64131973e4a5b3ce4891b1028ab4050525f332fe5beeb35cb2960ea28cda5dad3b5ff23154de1a070c899c12ccc038a99f9f

    Download Submit

  • C:\Windows\SysWOW64\csrcs.exe
    Filesize

    473KB

    MD5

    05734ec77bf7ff49ab33faa9ea9241f7

    SHA1

    3650464a2f997b9530c129d6f1420ab8b4f5bebd

    SHA256

    4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

    SHA512

    6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

    Download Submit

  • C:\Windows\SysWOW64\csrcs.exe
    Filesize

    473KB

    MD5

    05734ec77bf7ff49ab33faa9ea9241f7

    SHA1

    3650464a2f997b9530c129d6f1420ab8b4f5bebd

    SHA256

    4670a73ccbba29475686f7fd044ff64854fc19949d3efa46cdd48c1c02ef77eb

    SHA512

    6b2dfbe9da01abb5755ec3dc6a24fc6072ab900ed9cba209d59c4ff29620c90b75f235840d0c759ed20a27852f8c92181ba81d887baa1db634a8eac3753b5f0c

    Download Submit

  • memory/212-145-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-138-0x0000000000400000-0x00000000004D3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/1808-136-0x0000000000400000-0x00000000004D3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/1808-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2436-140-0x0000000000000000-mapping.dmp

    Download

  • memory/2524-137-0x0000000000000000-mapping.dmp

    Download

  • memory/3936-141-0x0000000000000000-mapping.dmp

    Download

  • memory/3988-144-0x0000000000000000-mapping.dmp

    Download

  • memory/4416-132-0x0000000000400000-0x00000000004D3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/4416-142-0x0000000000400000-0x00000000004D3000-memory.dmp

    Filesize

    844KB

    Download