Overview

overview

8

Static

static

98ddefb43c...9e.exe

windows7-x64

8

98ddefb43c...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    58s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98ddefb43cc45f53b1286cce109c91efda259a4e0e6681510f11989fec320b9e.exe

  • Size

    241KB

  • MD5

    ea232ec38c6d1a6fc26e409c22ad04bf

  • SHA1

    7d746b5c4c895f06d3225edfa688214077a63482

  • SHA256

    98ddefb43cc45f53b1286cce109c91efda259a4e0e6681510f11989fec320b9e

  • SHA512

    56164a8a86b48d10ca7407bfbc8f53880cf8431cc6425b1c4c85bb3278f2cd01a111ab3e2f3e897877958b47a9c74e33fa7b91f8ee7a46cf052327ec2541ae81

  • SSDEEP

    6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxIIkij:lXmwRo+mv8QD4+0N46NKxIY

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98ddefb43cc45f53b1286cce109c91efda259a4e0e6681510f11989fec320b9e.exe
    "C:\Users\Admin\AppData\Local\Temp\98ddefb43cc45f53b1286cce109c91efda259a4e0e6681510f11989fec320b9e.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Insata\Ikars\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Insata\Ikars\albur.bat
    Filesize

    1009B

    MD5

    b72eec07f49ca5f55d9dd2b0203fd8d6

    SHA1

    844a4c6bacd822767ae55b9cf1fffa0f6f187046

    SHA256

    213977269cb831de49d6b39d3554ae1369dcf8ffd7ad8179e19f249be5ca395c

    SHA512

    07ddf65060e4955f00956a8234c89836b7a74980100bca87adc6f586a020c86469ab96255a85dfc668490d18df4d53365fbdbdf97c249dbe163819f9bcb9111f

    Download Submit

  • C:\Program Files (x86)\Insata\Ikars\sanodo.vbs
    Filesize

    184B

    MD5

    ec2080277330fb8c2a3d58d784cee484

    SHA1

    31f826302fa167cec67f017d971eb8b0dd543d1a

    SHA256

    fe519e5c92471e84a96107eb5eb95ae9b1c5add1b83da00dbefbc527594ffc56

    SHA512

    6b83a6fb9d2ceab091c7e7dd099dc5c8dd918c48ef83f6491a8534577192db995aaf8a839aa898ccf892b9628284b1100b4cde060dae30b48f03b67313d954d9

    Download Submit

  • memory/328-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1452-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1516-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

    Filesize

    8KB

    Download