Overview

overview

8

Static

static

8

caae72a918...3b.exe

windows7-x64

8

caae72a918...3b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    165s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 05:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe

  • Size

    419KB

  • MD5

    0c85f8e37afb7b1bf85ad3d38746ec90

  • SHA1

    b725e2e59964812866eb92cfef09fe5bef3f6d93

  • SHA256

    caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

  • SHA512

    e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

  • SSDEEP

    12288:1g2MA3Mw3Ewq/4QhSQTS7jb90EFwDviaPAm:F33v3EwVQmykqiaPP

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe
    "C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe" "del" C:\Users\Admin\AppData\Local\Temp\caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2188

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\System.exe
          Filesize

          419KB

          MD5

          0c85f8e37afb7b1bf85ad3d38746ec90

          SHA1

          b725e2e59964812866eb92cfef09fe5bef3f6d93

          SHA256

          caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

          SHA512

          e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\System.exe
          Filesize

          419KB

          MD5

          0c85f8e37afb7b1bf85ad3d38746ec90

          SHA1

          b725e2e59964812866eb92cfef09fe5bef3f6d93

          SHA256

          caae72a918fd4ee10d71445a4d09355b116de4247b37159d1607d2bf5e49883b

          SHA512

          e87e42c8664681d2b9d5abe899466486635ad6a799fd0632e43b4428a700d3cca45869b04a71f53c1bbf63b9411cab4a626b7b91773f7317e4cb489aa2451e53

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\System.exe.ini
          Filesize

          11B

          MD5

          301a3e5a5c08c60b2952122a97e1a838

          SHA1

          c85da2ebd9e1098eed686b8c74016bee728bb942

          SHA256

          89886e624db56b7f7e7a0a857fc7e63ebfffe9eb69b329489b79dd0a3e24f7fa

          SHA512

          ce1dcdad347d6c8e6a798b915f8a8d8ac1be4851c0064ab62e80aa85103a472f402b688e94950099a812db1134917fe9d51a7dfa0504e0174e94acdad8ee34d9

          Download Submit

        • memory/4512-136-0x0000000000AB0000-0x0000000000B9D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4512-140-0x0000000000AB0000-0x0000000000B9D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4876-132-0x0000000000350000-0x000000000043D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4876-138-0x0000000000350000-0x000000000043D000-memory.dmp

          Filesize

          948KB

          Download