Overview

overview

8

Static

static

2e8c41f782...b8.exe

windows7-x64

8

2e8c41f782...b8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 15:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2e8c41f782f2440d66163eae97c993eefeb785737076efbfddd6178975044db8.exe

  • Size

    28KB

  • MD5

    328e6e941b66ec19b4f581d214dbb272

  • SHA1

    ceb071b95477d10d21b7fe553920b818d0b23e76

  • SHA256

    2e8c41f782f2440d66163eae97c993eefeb785737076efbfddd6178975044db8

  • SHA512

    2c4200653b1a9f2b13294527f1ce6459fd90e919595d9214e36c5decb4b733e215af6d4fd59769e02aa7047bfdb880ce000c36e72c406c03c576c017a430fd5e

  • SSDEEP

    384:/T+UxLd9sn+G+DLuz+7C+EA3TzzQKXYFlzQKXvFlTGHl3ptDr4qYso7:/S8Lrs9/zzqvzQvQqGHJsqk

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e8c41f782f2440d66163eae97c993eefeb785737076efbfddd6178975044db8.exe
    "C:\Users\Admin\AppData\Local\Temp\2e8c41f782f2440d66163eae97c993eefeb785737076efbfddd6178975044db8.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SL.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\attrib.exe
        attrib +r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:4776

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\SE.bat
          Filesize

          49B

          MD5

          d013cc282f8c7dd36aa46b9db97f14ca

          SHA1

          1d6d23a62127302e4a6409aaa45902186bccf552

          SHA256

          46eec18440b6879e3271fb55049330c6c33a89131a0d4bd57631e4633d1d59d0

          SHA512

          c171985b9aa7dcb19590e5c40c4512a02776afb67abfc1b984112a5ce6e3a0ad6db61ea3851dbf2b6f5f0ad0495b4b9c33015bfc68a9bb16b46c40c6363705e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SL.bat
          Filesize

          49B

          MD5

          e271e0a233b644da15be208de2a9aae1

          SHA1

          732d068d81bcdf50709be42245264e3c0b7670e8

          SHA256

          19951fc879d9c1ca5b53d0451539ec2e5bbdaa6cc3dada46194aded4cc1b8054

          SHA512

          edc34083fadcdc9d1b78696b60faa40f75ef7f0f53ee1cd523b87005267f217d00171a13ae9308c42efdaf19e90c1d6526342ceb9a4dedefeeb0d59f2b5f0473

          Download Submit