Overview

overview

7

Static

static

6b93f989a1...5d.exe

windows7-x64

7

6b93f989a1...5d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b93f989a19f8f5e86f75db34e00f3d3d3bd05f649c393d2cc7ac81c8ad33f5d.exe

  • Size

    75KB

  • MD5

    3fb52b7fb6b10c98ee21ebbfe1827255

  • SHA1

    34b688f407cf926cc92a92349316ab4e9917b9ae

  • SHA256

    6b93f989a19f8f5e86f75db34e00f3d3d3bd05f649c393d2cc7ac81c8ad33f5d

  • SHA512

    e1ef7b2aadcb77bf43b6909be403c917b9166c0454f8882a87a3b3f245dbc193b4e48492eebb33828cd474b9ceb0e957b6bd01f976f4cffe22ffc4db068b0141

  • SSDEEP

    1536:BbBsYVpEDyVT2eGgREZJvoFuCgq46DZkwLR:BbBvVpJ2eGgR/gq4qZkaR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b93f989a19f8f5e86f75db34e00f3d3d3bd05f649c393d2cc7ac81c8ad33f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\6b93f989a19f8f5e86f75db34e00f3d3d3bd05f649c393d2cc7ac81c8ad33f5d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ctb..bat" > nul 2> nul
      2⤵
        PID:4196

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Ctb..bat
      Filesize

      274B

      MD5

      0b45c74abe89f9ca9e69376e2f1bfcf4

      SHA1

      bd9f908b20e32cdda09fe81eabae61cf729d4f16

      SHA256

      920967a1abd16a5627407b6bd4f443d12423459ba9940554b31d5df34acafb25

      SHA512

      602d12e1c048738d9955ab15dacb373dcbd538d3ae2c75fede0eea97151dadf047399873a6ebf7fe95b573c524fc57aba33c765a108f910638b25daa7bf96961

      Download Submit

    • memory/2564-132-0x0000000002190000-0x00000000021B5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2564-133-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2564-134-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2564-136-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4196-135-0x0000000000000000-mapping.dmp

      Download