Analysis

  • max time kernel
    184s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 12:52

General

  • Target

    e292bc0a80cc7dc66ff3116336a17bb0d76c55ea91a6c9fed81debdec48c910c.exe

  • Size

    10.5MB

  • MD5

    19153a23d8bf242e0399ef05f352f04f

  • SHA1

    20c06c0a0b98a45089ad288f354cfc4fc91dac41

  • SHA256

    e292bc0a80cc7dc66ff3116336a17bb0d76c55ea91a6c9fed81debdec48c910c

  • SHA512

    aae7ea8818b7cf4b2a5bd182a3cc5544b881e08bcbc5e731534e2eb8b70a765ddaf0855558fcdcd47dbb85c602331782ec8366359edd737558c3a94c64f55178

  • SSDEEP

    196608:ScCuika88MiXKKP1pMjDo89ub0bVe7FIetA86PURwUdyvhfSfvg9DBUky:ECDM7tsU2U3vIu

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e292bc0a80cc7dc66ff3116336a17bb0d76c55ea91a6c9fed81debdec48c910c.exe
    "C:\Users\Admin\AppData\Local\Temp\e292bc0a80cc7dc66ff3116336a17bb0d76c55ea91a6c9fed81debdec48c910c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Users\Admin\AppData\Local\Temp\000578B1\Silverlight_4.0.60531_universal.exe
      "C:\Users\Admin\AppData\Local\Temp\000578B1\Silverlight_4.0.60531_universal.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3820
      • \??\c:\0d00584020cdbd32f6b4fce20fa4\install.exe
        c:\0d00584020cdbd32f6b4fce20fa4\install.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\0d00584020cdbd32f6b4fce20fa4\install.exe

    Filesize

    196KB

    MD5

    748892d1390c8e09e145378bc4e94fd8

    SHA1

    77919af37a82474b030c9b16a0cb44030eee8fa5

    SHA256

    e41ff13f799dc9e26595dcb2c21b58bc2dc1e0a5fc9956704a1e688aa6a16d2b

    SHA512

    5d3804b97ee428e55a603ef237e8adcaaf2ae897cdbe88d66089e8bc62512c3c880bad0553dd698dd06540060c232f7f595c171bfbec30480b4d5161a8151079

  • C:\0d00584020cdbd32f6b4fce20fa4\install.res.dll

    Filesize

    347KB

    MD5

    d6b11986cea77afe7bf575f5da16bbbb

    SHA1

    9d71efcdef8467b74fc4bf26405da90d0ac4959a

    SHA256

    a520eeae3826f6b451f7066690eaa3a9ae969c334c8680d6641145f849de12ea

    SHA512

    c7089a207bb227bf1f5ab9d16d74c2563fa7a3f9c700f8b0671a0d714acd53a1b2b1ebafbb642e24ff31fe377cde52f411f2e098f7921bf602c393d11b1e7e9f

  • C:\0d00584020cdbd32f6b4fce20fa4\install.res.dll

    Filesize

    347KB

    MD5

    d6b11986cea77afe7bf575f5da16bbbb

    SHA1

    9d71efcdef8467b74fc4bf26405da90d0ac4959a

    SHA256

    a520eeae3826f6b451f7066690eaa3a9ae969c334c8680d6641145f849de12ea

    SHA512

    c7089a207bb227bf1f5ab9d16d74c2563fa7a3f9c700f8b0671a0d714acd53a1b2b1ebafbb642e24ff31fe377cde52f411f2e098f7921bf602c393d11b1e7e9f

  • C:\Users\Admin\AppData\Local\Temp\000578B1\Silverlight_4.0.60531_universal.exe

    Filesize

    6.0MB

    MD5

    0ffe0529d88d33e3b498b5d7896fcb92

    SHA1

    98888055263b9bb606dcf4842c73d08193639026

    SHA256

    0034c556cc32f772cdd62f9dcf6840adc1a926a37c8d2e90564cb30dc039f0f0

    SHA512

    57fdf4caffa92e0fec6aa5f4adc218f9ce1f0b2df183fb74a7b2f1584f8e533f8c1905c20d958be25001b0371c99b7c53474a218541441fe0d4951bdf5579ffe

  • C:\Users\Admin\AppData\Local\Temp\000578B1\Silverlight_4.0.60531_universal.exe

    Filesize

    6.0MB

    MD5

    0ffe0529d88d33e3b498b5d7896fcb92

    SHA1

    98888055263b9bb606dcf4842c73d08193639026

    SHA256

    0034c556cc32f772cdd62f9dcf6840adc1a926a37c8d2e90564cb30dc039f0f0

    SHA512

    57fdf4caffa92e0fec6aa5f4adc218f9ce1f0b2df183fb74a7b2f1584f8e533f8c1905c20d958be25001b0371c99b7c53474a218541441fe0d4951bdf5579ffe

  • \??\c:\0d00584020cdbd32f6b4fce20fa4\install.exe

    Filesize

    196KB

    MD5

    748892d1390c8e09e145378bc4e94fd8

    SHA1

    77919af37a82474b030c9b16a0cb44030eee8fa5

    SHA256

    e41ff13f799dc9e26595dcb2c21b58bc2dc1e0a5fc9956704a1e688aa6a16d2b

    SHA512

    5d3804b97ee428e55a603ef237e8adcaaf2ae897cdbe88d66089e8bc62512c3c880bad0553dd698dd06540060c232f7f595c171bfbec30480b4d5161a8151079

  • \??\c:\0d00584020cdbd32f6b4fce20fa4\install.res.dll

    Filesize

    347KB

    MD5

    d6b11986cea77afe7bf575f5da16bbbb

    SHA1

    9d71efcdef8467b74fc4bf26405da90d0ac4959a

    SHA256

    a520eeae3826f6b451f7066690eaa3a9ae969c334c8680d6641145f849de12ea

    SHA512

    c7089a207bb227bf1f5ab9d16d74c2563fa7a3f9c700f8b0671a0d714acd53a1b2b1ebafbb642e24ff31fe377cde52f411f2e098f7921bf602c393d11b1e7e9f

  • memory/3820-132-0x0000000000000000-mapping.dmp

  • memory/3912-135-0x0000000000000000-mapping.dmp