Overview

overview

8

Static

static

d22d57bcf0...c2.exe

windows7-x64

8

d22d57bcf0...c2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe

  • Size

    7.7MB

  • MD5

    fd9f596b0d88024cffa94540cb837e6b

  • SHA1

    85704c78d3726ac45ff0fc9b6504873a56a8094c

  • SHA256

    d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2

  • SHA512

    47154c927ea66deef12e4f4ebbfa11e115afd9a484b2015a64f018ca9a1568b5de1692a1315b492d4f79b8721a7dfa2728a2c10a3717d6dce550e0761928b7e5

  • SSDEEP

    196608:d/p7W7CxzD/64edSppgTeFCa28Ry4SaZywpBwO3+76sdZGat4r:dx7Yw3/iSpeU3ZRjJyw7wI+71rGat4r

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe
    "C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3392
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:3000
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /S reg.reg
        3⤵
        • Runs .reg file with regedit
        PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Download Manager\REG.reg
    Filesize

    1KB

    MD5

    b5a4d7472c0cea64a0b2f02a4c15aa5b

    SHA1

    2a1b37222568bf0571ff23248497cab0ff1b66bf

    SHA256

    570d4af82f9892fcc84c9205d38da0713a596f9fcaf944a65494ac47bdfd98f4

    SHA512

    c048c6196ea2eef0cc60f4472b71ecc7dc5f9813168c8bbfd8d5fdd013d8ad543fc802c793ba462985505d4c5b89a2cd473724cf9d4cf873a8391f0f5d90d8c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • memory/3000-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4084-135-0x0000000000000000-mapping.dmp
    Download