Overview

overview

8

Static

static

6b7556f041...ab.exe

windows7-x64

8

6b7556f041...ab.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    200s
  • max time network
    221s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe

  • Size

    241KB

  • MD5

    bcfac5bc01c61811fb62470e9b23bd38

  • SHA1

    0fd0506958682877a7a599112786ab0ac0b2f9ab

  • SHA256

    6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab

  • SHA512

    05b1509f5ba3c7e3f1488d92d8a58ea46b8f53ad33b0ee8fefa5ebae779a0e377f5b4842f2aadff551d44d58e7a9c66f01efa4ece853da9d4c2d3f3574878267

  • SSDEEP

    6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKx6afRstZzwU:lXmwRo+mv8QD4+0N46NKx6KbU

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe
    "C:\Users\Admin\AppData\Local\Temp\6b7556f041002f20a35ac528e4732f257357f0edeb47f759f591a884960c6eab.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Insata\Ikars\1.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit
  • C:\Program Files (x86)\Insata\Ikars\albur.bat
    Filesize

    890B

    MD5

    7e849d41e38ab830968b4571e928f932

    SHA1

    ce6473a24bfe3efe9702fa2138686991632afa12

    SHA256

    66cdc2ee349bc429ebb4fb7a940030c1659d0a8447bb0ead56b1e785c210a479

    SHA512

    39d02b11e7152b67a7f70de110f29679829e8affe902880a9f9db8dfc4c1bb264e72c9efd429258809cfe54889c6f69edbe96fa552fd9443f0e9eeb21d2c77b7

    Download Submit
  • C:\Program Files (x86)\Insata\Ikars\sanodo.vbs
    Filesize

    184B

    MD5

    65c4b3a3e24b7b00d8b52ceefdeac383

    SHA1

    7c3f1e013b32460544f7692a29fd1447e0fe3212

    SHA256

    d85a00da258b5c553342f8aab2dc630f3c6e6bf6256dbc59b03e7b5e7b094726

    SHA512

    7fbfceb78aca9c41d10f209f8a81adb9ca2a623519f970b937e1825e1689c63c2e016121dc05f7bbdd8fdb510681d8589ebe31ecaee3865206cfa8d0d22f5ecd

    Download Submit
  • memory/216-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2556-136-0x0000000000000000-mapping.dmp
    Download