Overview

overview

10

Static

static

86d22fb92b...7c.exe

windows7-x64

10

86d22fb92b...7c.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe

  • Size

    606KB

  • MD5

    720d10b1cf1f0ffea760e4614547a371

  • SHA1

    a68f59f07bbacbd75e1951082bf2a66cc3936c9e

  • SHA256

    86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c

  • SHA512

    2efe8967868821c934ce4bf2c55b486ad9f2942dbb2b4509938a6d6273b1a7d7d2644bcb93cbe63298669d257871fc2a38aecf33e73ac0849c58e3d9d7029019

  • SSDEEP

    12288:lZ72G7ahUmH2fG+nW6ITjKdXix4ZQ/gyblukHCGrFp:n729UmH2++XIa12lbQYCGBp

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe
      "C:\Users\Admin\AppData\Local\Temp\86d22fb92b826680dc0bd40f101f63ed60d31e97f0e5428e0fd288010d773e7c.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
      2⤵
      • Executes dropped EXE
      PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
    Filesize

    6KB

    MD5

    81cd48fa8f0a70fe3872780af4f96055

    SHA1

    fe725ffab8ad3be4df9b6205894a665f67668af5

    SHA256

    66dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991

    SHA512

    ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
    Filesize

    6KB

    MD5

    81cd48fa8f0a70fe3872780af4f96055

    SHA1

    fe725ffab8ad3be4df9b6205894a665f67668af5

    SHA256

    66dcd6ab5721af5efce98e4d04dc46059f59480481b60f675cbe05fc0758b991

    SHA512

    ad22d4a56f9d86ca4d80b9fd51151fbf8b71b2f96a5a95999a582ab9cf5626e8e2b4cc71a0ff27cf581d7091f842222ac9538eced4847572d28948446e66d1e7

    Download Submit
  • memory/1948-132-0x0000000074B70000-0x0000000075121000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1948-133-0x0000000074B70000-0x0000000075121000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3580-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3580-140-0x0000000074B70000-0x0000000075121000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5024-134-0x0000000000000000-mapping.dmp
    Download
  • memory/5024-135-0x0000000000400000-0x0000000000484000-memory.dmp
    Filesize

    528KB

    Download
  • memory/5024-136-0x0000000074B70000-0x0000000075121000-memory.dmp
    Filesize

    5.7MB

    Download