Overview

overview

8

Static

static

1

0416989262...fc.exe

windows7-x64

8

0416989262...fc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    210s
  • max time network
    230s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 18:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    041698926287077b77e276b4cd5fa52964b3f17693ccc4ca9311b05499f0f7fc.exe

  • Size

    564KB

  • MD5

    0f572a251c8bf0cfd1e265996a90e606

  • SHA1

    e293aa35cee656fbbe2cee9b553399a35bb463f4

  • SHA256

    041698926287077b77e276b4cd5fa52964b3f17693ccc4ca9311b05499f0f7fc

  • SHA512

    3786fd1a4806e6e9460ad936e7077e178698810fa6020cdff2a20f2ad6f22548a9da4f9f0114b41550002474f768b77d9567d705c1b7dcf632f64c66af3d542e

  • SSDEEP

    12288:u+MDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0UW:utplNFgxG5eZngb0t

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\041698926287077b77e276b4cd5fa52964b3f17693ccc4ca9311b05499f0f7fc.exe
    "C:\Users\Admin\AppData\Local\Temp\041698926287077b77e276b4cd5fa52964b3f17693ccc4ca9311b05499f0f7fc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"
        3⤵
          PID:4528
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\1.vbs"
          3⤵
            PID:4400
        • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4624
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2408
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
            3⤵
              PID:2876

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
                Filesize

                35KB

                MD5

                08f52a4ccd01913b9a9691093a64366f

                SHA1

                e44c6620b4107a0f55e89f632c007a9a1ec88119

                SHA256

                85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

                SHA512

                d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
                Filesize

                35KB

                MD5

                08f52a4ccd01913b9a9691093a64366f

                SHA1

                e44c6620b4107a0f55e89f632c007a9a1ec88119

                SHA256

                85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d

                SHA512

                d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
                Filesize

                467KB

                MD5

                74869a0346ab36bbba85022612505121

                SHA1

                2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

                SHA256

                6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

                SHA512

                723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
                Filesize

                467KB

                MD5

                74869a0346ab36bbba85022612505121

                SHA1

                2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

                SHA256

                6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

                SHA512

                723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

                Download Submit

              • C:\newsetup.vbs
                Filesize

                631B

                MD5

                5e2c0c26e344eeae4304c9bb561ea89b

                SHA1

                4664f9d0f582ab586ab197515aa45499eb18db41

                SHA256

                f74ed58e1ff45165abf943ff0364fff8e5d873b9051ccba0da940399fbd8aac3

                SHA512

                4aa5f6d5c35160470f99808dab9a68f826e726eae0b7f536e71665b978d72502faf971c4f9f2a9a792b3aca04736c9c97d633da7b34b50dbd3831dcb67284d97

                Download Submit

              • memory/4624-143-0x0000000000400000-0x000000000048A000-memory.dmp

                Filesize

                552KB

                Download

              • memory/4624-145-0x0000000000400000-0x000000000048A000-memory.dmp

                Filesize

                552KB

                Download