Overview

overview

8

Static

static

db8bf91fff...91.exe

windows7-x64

8

db8bf91fff...91.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 15:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    db8bf91fffd9b4011a38734abc738259c11d400e30df5c81d747b4182811c291.exe

  • Size

    28KB

  • MD5

    20670c2b09a0de2d52dce0bb28470e74

  • SHA1

    6d750b3f4cac35159cbd2290c7737d930d588dc9

  • SHA256

    db8bf91fffd9b4011a38734abc738259c11d400e30df5c81d747b4182811c291

  • SHA512

    0e787b6075598c5dc28d3257773ecf265f151f8a13c9f4fa398ce88c1ef5af6690392f2ae63facca3be777a01ab8239a9f61b20711d0bcd85678c04153251f5a

  • SSDEEP

    384:/TRXk1KnP2+DbC+rC+EA37bDQKXQFlDQKXbDFlDoAHdPscGtDr4Jf8:/x+KuzDqvDQXQu3oAHmcisB

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\db8bf91fffd9b4011a38734abc738259c11d400e30df5c81d747b4182811c291.exe
    "C:\Users\Admin\AppData\Local\Temp\db8bf91fffd9b4011a38734abc738259c11d400e30df5c81d747b4182811c291.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SL.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\attrib.exe
        attrib +r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:4208

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\SE.bat
          Filesize

          49B

          MD5

          d013cc282f8c7dd36aa46b9db97f14ca

          SHA1

          1d6d23a62127302e4a6409aaa45902186bccf552

          SHA256

          46eec18440b6879e3271fb55049330c6c33a89131a0d4bd57631e4633d1d59d0

          SHA512

          c171985b9aa7dcb19590e5c40c4512a02776afb67abfc1b984112a5ce6e3a0ad6db61ea3851dbf2b6f5f0ad0495b4b9c33015bfc68a9bb16b46c40c6363705e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SL.bat
          Filesize

          49B

          MD5

          e271e0a233b644da15be208de2a9aae1

          SHA1

          732d068d81bcdf50709be42245264e3c0b7670e8

          SHA256

          19951fc879d9c1ca5b53d0451539ec2e5bbdaa6cc3dada46194aded4cc1b8054

          SHA512

          edc34083fadcdc9d1b78696b60faa40f75ef7f0f53ee1cd523b87005267f217d00171a13ae9308c42efdaf19e90c1d6526342ceb9a4dedefeeb0d59f2b5f0473

          Download Submit

        • memory/2972-132-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2972-139-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download