Overview

overview

10

Static

static

db1d98c168...3a.exe

windows7-x64

1

db1d98c168...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db1d98c16820f551f859b02d4fff9fe9611a35760e0a3fbb6e5e24843093503a.exe

  • Size

    196KB

  • MD5

    0d5ed7c8e96cc9a9f28fddbb31ae31ef

  • SHA1

    0d1764ef7093c0872ddb31a1bbf6baf9ee873d70

  • SHA256

    db1d98c16820f551f859b02d4fff9fe9611a35760e0a3fbb6e5e24843093503a

  • SHA512

    a672c4858968afc5676670879736c620c557ef663bdd0087b46521507e9dc79d8fde17dfb872c67b820c87daeccec1c5ddfc35afe3405b5bdc78c19977f14737

  • SSDEEP

    6144:kK1D59kajqFnyzSgcedwXOOqYGzP/0KF:q1A4eMfqfP/

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2404
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2432
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2588
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4608
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3704
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3504
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:3420
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:3344
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3252
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                        PID:2648
                      • C:\Windows\Explorer.EXE
                        C:\Windows\Explorer.EXE
                        1⤵
                          PID:2740
                          • C:\Users\Admin\AppData\Local\Temp\db1d98c16820f551f859b02d4fff9fe9611a35760e0a3fbb6e5e24843093503a.exe
                            "C:\Users\Admin\AppData\Local\Temp\db1d98c16820f551f859b02d4fff9fe9611a35760e0a3fbb6e5e24843093503a.exe"
                            2⤵
                            • Modifies firewall policy service
                            • Checks computer location settings
                            • Adds Run key to start application
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: RenamesItself
                            • Suspicious use of WriteProcessMemory
                            PID:2956
                            • C:\Users\Admin\AppData\Roaming\msdtc.exe
                              "C:\Users\Admin\AppData\Roaming\msdtc.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:2752

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\msdtc.exe
                          Filesize

                          196KB

                          MD5

                          0d5ed7c8e96cc9a9f28fddbb31ae31ef

                          SHA1

                          0d1764ef7093c0872ddb31a1bbf6baf9ee873d70

                          SHA256

                          db1d98c16820f551f859b02d4fff9fe9611a35760e0a3fbb6e5e24843093503a

                          SHA512

                          a672c4858968afc5676670879736c620c557ef663bdd0087b46521507e9dc79d8fde17dfb872c67b820c87daeccec1c5ddfc35afe3405b5bdc78c19977f14737

                          Download Submit

                        • memory/2740-132-0x000000007FFC0000-0x000000007FFD1000-memory.dmp

                          Filesize

                          68KB

                          Download

                        • memory/2740-133-0x000000007FF80000-0x000000007FFB1000-memory.dmp

                          Filesize

                          196KB

                          Download

                        • memory/2752-161-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2752-170-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/2956-158-0x0000000000400000-0x000000000043B000-memory.dmp

                          Filesize

                          236KB

                          Download

                        • memory/2956-159-0x000000007FDF0000-0x000000007FE01000-memory.dmp

                          Filesize

                          68KB

                          Download

                        • memory/2956-160-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/2956-192-0x000000007FD70000-0x000000007FD81000-memory.dmp

                          Filesize

                          68KB

                          Download

                        • memory/2956-193-0x000000007FD10000-0x000000007FD1C000-memory.dmp

                          Filesize

                          48KB

                          Download