Overview

overview

8

Static

static

1276dea9bb...4b.exe

windows7-x64

8

1276dea9bb...4b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

  • Size

    172KB

  • MD5

    d8b3807c730d493ba974c13c83621dd8

  • SHA1

    8f4f7519e1c86bd3b123130f60100d7da7a2e53d

  • SHA256

    1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

  • SHA512

    9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

  • SSDEEP

    3072:mJ0A2KvUXh9O5P908zsStvqeSwCKx83lUICxsqcAeSa:O0A2auu10usSJbuKxAlicbS

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
    "C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\temp\svchost.exe
      "C:\Windows\temp\svchost.exe" -install
      2⤵
      • Executes dropped EXE
      PID:4956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "
      2⤵
        PID:1044
    • C:\Windows\temp\svchost.exe
      C:\Windows\temp\svchost.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3192

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~0.bat
      Filesize

      258B

      MD5

      3ec406bfaf2fc1383813314972975c84

      SHA1

      eb38d2a107129c86a910492f5b66fb9002dd9576

      SHA256

      9fafc27e02c57454749b7a5ecfa45024c5813760b21ca571855f0ebb623e032d

      SHA512

      de3e524d92abc4354735f35c88c7f7c972dd4d85d9dab93df91dd6f1c56c0046f27956512a3f66a1b3b1ca82bd127ea7c0c596aec95b1bb3b81037728ac92173

      Download Submit

    • C:\Windows\Temp\svchost.exe
      Filesize

      172KB

      MD5

      d8b3807c730d493ba974c13c83621dd8

      SHA1

      8f4f7519e1c86bd3b123130f60100d7da7a2e53d

      SHA256

      1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

      SHA512

      9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

      Download Submit

    • C:\Windows\Temp\svchost.exe
      Filesize

      172KB

      MD5

      d8b3807c730d493ba974c13c83621dd8

      SHA1

      8f4f7519e1c86bd3b123130f60100d7da7a2e53d

      SHA256

      1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

      SHA512

      9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

      Download Submit

    • C:\Windows\temp\svchost.exe
      Filesize

      172KB

      MD5

      d8b3807c730d493ba974c13c83621dd8

      SHA1

      8f4f7519e1c86bd3b123130f60100d7da7a2e53d

      SHA256

      1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

      SHA512

      9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

      Download Submit

    • memory/1044-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4956-132-0x0000000000000000-mapping.dmp

      Download