Overview

overview

8

Static

static

20d84e52d5...f1.exe

windows7-x64

8

20d84e52d5...f1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    52s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20d84e52d5bd718dbc71e0abbec70425be63455b2904e3dc452a72c55aa338f1.exe

  • Size

    241KB

  • MD5

    84947ac590ddd1d873325f046c021326

  • SHA1

    25bd5e935eb5c6d0b92e4d9af15570d0ec9ec08b

  • SHA256

    20d84e52d5bd718dbc71e0abbec70425be63455b2904e3dc452a72c55aa338f1

  • SHA512

    cdf2185a04062ebca4590655b124ab12c8dce962108cf82b929424731e476f70151897d63000b7753f118fe0fcb35f8f39586725aad862f11ccdf49075c3620e

  • SSDEEP

    6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxXV6zYh4OEYS:lXmwRo+mv8QD4+0N46NKxXV68h4ObS

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20d84e52d5bd718dbc71e0abbec70425be63455b2904e3dc452a72c55aa338f1.exe
    "C:\Users\Admin\AppData\Local\Temp\20d84e52d5bd718dbc71e0abbec70425be63455b2904e3dc452a72c55aa338f1.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Insata\Ikars\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Insata\Ikars\albur.bat
    Filesize

    1KB

    MD5

    dd173bc2b5feea437534492907a29f0d

    SHA1

    455cbfa1a6612508c11460483c46fe2c333bb90b

    SHA256

    3e92aadb78cf6c16842a2c76e17e0c4716b4abafc4c8592b137772aa230d364c

    SHA512

    8bd9843b254c901055941246f8815a0ae9171c443bd4e00d14ae6078ddcc343a813ea704cbab53c77458435df4d96e39dd96b15e44ce49be126158005241ba6d

    Download Submit

  • C:\Program Files (x86)\Insata\Ikars\sanodo.vbs
    Filesize

    187B

    MD5

    e5e0e2efc00f5f025cba1726dc406f3b

    SHA1

    ac22485a61a13ce216043e6fd5274b156490c9c1

    SHA256

    35b2a7731a2f73ed2a4d9d8d9c6ab7643c01843daffb1876887b28290f506395

    SHA512

    f4956e2bb8609325ca2c746f21687f0735797864c747dd766aaa304ec63d5f99af17569694ac4545e2d5f6cf362eaf05fc277170473a188976b1a18860e58c96

    Download Submit

  • memory/864-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1260-54-0x0000000076381000-0x0000000076383000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1316-55-0x0000000000000000-mapping.dmp

    Download