Overview

overview

8

Static

static

b40b88a714...7f.exe

windows7-x64

8

b40b88a714...7f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    159s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe

  • Size

    24KB

  • MD5

    8552d57b2bcac7b80b7c3d15d1f4abfb

  • SHA1

    b59da154ef1341f7ef6f2fd86e307261ae8b9810

  • SHA256

    b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f

  • SHA512

    b0c002f775a255dfc0463609e5b07364da5b19c6190c8a5eeb3c113ff9a07990bc7d9e24c217af44f65695732f1da51294aa54e1d109afd93edb0db21d162ff1

  • SSDEEP

    384:GLfw1wdTQTls4Ynp36Ky+do4kfaqCKy1Xs2mU:GrGwdsTlV4K+dotaqCKEX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe
    "C:\Users\Admin\AppData\Local\Temp\b40b88a714696986c7a3ff4bd86cb1645e50c8d80e512945ddcfb71e2b10bc7f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\ygczw.exe
      "C:\Users\Admin\AppData\Local\Temp\ygczw.exe"
      2⤵
      • Executes dropped EXE
      PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ygczw.exe
    Filesize

    24KB

    MD5

    2597bc1284c04a8d443df69408d43ea1

    SHA1

    170a3d541e57ed6df3eae0a74dea998a91aecd81

    SHA256

    55d02bf04f75887213682d336d0951a995ba64a3d06369c08e1af669f818d3fb

    SHA512

    3facacf3e13697f16f52b0c2b62986da17d20d236a790ef7db4c79e8c0271c3d1655bb4d257149ec107877d6dffe09040bfdb3ca4d520920561931852008b048

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ygczw.exe
    Filesize

    24KB

    MD5

    2597bc1284c04a8d443df69408d43ea1

    SHA1

    170a3d541e57ed6df3eae0a74dea998a91aecd81

    SHA256

    55d02bf04f75887213682d336d0951a995ba64a3d06369c08e1af669f818d3fb

    SHA512

    3facacf3e13697f16f52b0c2b62986da17d20d236a790ef7db4c79e8c0271c3d1655bb4d257149ec107877d6dffe09040bfdb3ca4d520920561931852008b048

    Download Submit
  • memory/908-132-0x0000000000400000-0x0000000000403000-memory.dmp
    Filesize

    12KB

    Download
  • memory/908-133-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4120-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4120-138-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download