Overview

overview

8

Static

static

c219955852...63.exe

windows7-x64

8

c219955852...63.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63.exe

  • Size

    3.2MB

  • MD5

    60d87145479d73dae26ffdce16c1a071

  • SHA1

    0206ace501f3760edf5be079951fcadd17c52c7b

  • SHA256

    c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63

  • SHA512

    cb90cc27e5f53e2b00e187d203191ef76e432592a5de1c2ca820b920c90e4b9999925da0ac25ed0890e360e7f3baa694003ffa811b45cdf96d74cb4833e57195

  • SSDEEP

    98304:xFNW00i+rCrOZk8mXENd5VY8ScDnOsahMtAnZ:x9Tg4OZkdXEv0wODhMM

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 49 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63.exe
    "C:\Users\Admin\AppData\Local\Temp\c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Local\Temp\c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63.exe
      "C:\Users\Admin\AppData\Local\Temp\c219955852517964f6b6e795a52b1d0c425bd30ada4f061afe21f3d535642c63.exe"
      2⤵
      • Checks BIOS information in registry
      • Checks computer location settings
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
      • \??\c:\Program Files\Javascript\Windows Up.EXE
        "c:\Program Files\Javascript\Windows Up.EXE"
        3⤵
        • Executes dropped EXE
        PID:4376
        • \??\c:\Program Files\Javascript\Windows Up.EXE
          "c:\Program Files\Javascript\Windows Up.EXE"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Javascript\Windows Up.EXE
    Filesize

    2.0MB

    MD5

    06fc08f4f00dc5e98e498e3e99859a77

    SHA1

    6177caa516a7aa72746bb4607364acfc572174cf

    SHA256

    6dd5cba03075fdb4c555e718c2d80877aed428836dda6ba9d05af4dee7a76d56

    SHA512

    13f744fdf416c95e367d6088e21dc08be2d54e13dbf48bcfba5defc2e22fcf63bc558bf2a44c10016cda787eb1ab7379b1a862b18e6221879be64cef80f25865

    Download Submit

  • C:\Program Files\Javascript\Windows Up.EXE
    Filesize

    2.0MB

    MD5

    06fc08f4f00dc5e98e498e3e99859a77

    SHA1

    6177caa516a7aa72746bb4607364acfc572174cf

    SHA256

    6dd5cba03075fdb4c555e718c2d80877aed428836dda6ba9d05af4dee7a76d56

    SHA512

    13f744fdf416c95e367d6088e21dc08be2d54e13dbf48bcfba5defc2e22fcf63bc558bf2a44c10016cda787eb1ab7379b1a862b18e6221879be64cef80f25865

    Download Submit

  • C:\ProgramData\Licenses\0C6E3D0636B8B23B2.Lic
    Filesize

    127B

    MD5

    397ee39af9289f07f4b81b3c722008e6

    SHA1

    0e6e49239a9cd65e6ef848ecace7ce09b5c638d8

    SHA256

    cb137ce7d0b2b6934b8f1094f6ada5123adcdcfa17bd8efa561bfb2f86e4b29c

    SHA512

    94128a9b04750e9bed30ce94f793d0b71f6561d296303bd1c948de3389651b99ca83deb29ff44c9adfe0594f0d80f36f75088a6ecb2824f6c01ad05db642f639

    Download Submit

  • C:\ProgramData\Licenses\0C6E3D0636B8B23B2.Lic
    Filesize

    125B

    MD5

    a7af2e45edc5b3684cac3e493c017ff3

    SHA1

    f4ab1c4632f4161f825bd66ba8bb28be7589f0cc

    SHA256

    c9449eaea86aa3bf9a4f75bc913b26b0b001ca62086ef9141a2f03bf6b82d9f7

    SHA512

    bda826a7eef79339e89d4d7e1ee178aa5484e58b50644f6c8a907a0a4420b45d35bd382de7cef6edc5748b672b87b2240bce70eddc4aaa3c52df4bb843d4ecaf

    Download Submit

  • C:\ProgramData\Licenses\0C6E3D0636B8B23B2.Lic
    Filesize

    127B

    MD5

    1a94305d7378b7ddc1cf17096c418045

    SHA1

    0c5a33e69061f3985a3200523922199845ee035e

    SHA256

    f1c1e47a939b121bbd61791580483335340bbdead4912c291b1abfa3d3f97ba1

    SHA512

    5f65c3d364c8336b67fa09c46686d81d181d2854664bdcdd4e33f8a5f49d5d2f7a31c516297ddb42bb6d36cfde6772aa5eb0a7a02c1c36659fa0719bdbc98536

    Download Submit

  • C:\ProgramData\TEMP:C980DA7D
    Filesize

    127B

    MD5

    f20f9bc3348798fe97949dcbe869b20e

    SHA1

    ddc404bb1b2259ad7abfe6330edd5c485ba53170

    SHA256

    bd0d781946d7cdf1b1183c1d54d39d63887b3345f19ca96103260456483c2c6b

    SHA512

    3918b14bcb7f92b17904cbe036a786007388841e05e850313082c9775a4e0df0c4b7a8284ca2fd26419dd807b102edd3ed3e0b99f0a2d4879070fe06eba804ba

    Download Submit

  • \??\c:\Program Files\Javascript\Windows Up.EXE
    Filesize

    2.0MB

    MD5

    06fc08f4f00dc5e98e498e3e99859a77

    SHA1

    6177caa516a7aa72746bb4607364acfc572174cf

    SHA256

    6dd5cba03075fdb4c555e718c2d80877aed428836dda6ba9d05af4dee7a76d56

    SHA512

    13f744fdf416c95e367d6088e21dc08be2d54e13dbf48bcfba5defc2e22fcf63bc558bf2a44c10016cda787eb1ab7379b1a862b18e6221879be64cef80f25865

    Download Submit

  • memory/400-141-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/400-683-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3012-161-0x0000000000408000-0x0000000000409000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-157-0x000000000040D000-0x000000000040E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-148-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3012-167-0x0000000000412000-0x0000000000413000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-166-0x0000000000419000-0x000000000041A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-169-0x0000000000414000-0x0000000000415000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-168-0x0000000000413000-0x0000000000414000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-170-0x0000000000422000-0x0000000000423000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-165-0x000000000041A000-0x000000000041B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-172-0x000000000041B000-0x000000000041C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-173-0x0000000000421000-0x0000000000422000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-174-0x000000000041E000-0x000000000041F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-171-0x0000000000423000-0x0000000000424000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-182-0x0000000000425000-0x0000000000426000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-183-0x0000000000409000-0x000000000040A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-184-0x0000000000437000-0x0000000000438000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-185-0x0000000000429000-0x000000000042A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-181-0x0000000000426000-0x0000000000427000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-180-0x0000000000424000-0x0000000000425000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-179-0x0000000000415000-0x0000000000416000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-178-0x000000000043B000-0x000000000043C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-177-0x0000000000428000-0x0000000000429000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-176-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-175-0x000000000043A000-0x000000000043B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-164-0x000000000040F000-0x0000000000410000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-163-0x0000000000410000-0x0000000000411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-162-0x000000000040E000-0x000000000040F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-145-0x0000000003770000-0x0000000003790000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3012-160-0x000000000040B000-0x000000000040C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-159-0x000000000040C000-0x000000000040D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-158-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-146-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3012-156-0x0000000000411000-0x0000000000412000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-155-0x0000000000407000-0x0000000000408000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-187-0x0000000000449000-0x000000000044A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-186-0x0000000000442000-0x0000000000443000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-189-0x000000000041C000-0x000000000041D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-188-0x0000000000445000-0x0000000000446000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-197-0x0000000000404000-0x0000000000405000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-195-0x0000000000406000-0x0000000000407000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-193-0x000000000041F000-0x0000000000420000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-201-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-199-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-191-0x000000000044A000-0x000000000044B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-205-0x000000000044B000-0x000000000044C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-219-0x000000000042E000-0x000000000042F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-221-0x000000000042B000-0x000000000042C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-217-0x0000000000434000-0x0000000000435000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-215-0x000000000044D000-0x000000000044E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-209-0x0000000000405000-0x0000000000406000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-207-0x000000000044C000-0x000000000044D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-133-0x0000000000000000-mapping.dmp

    Download

  • memory/3012-685-0x0000000002750000-0x00000000028BE000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3012-135-0x0000000002750000-0x00000000028BE000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3012-142-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3012-143-0x0000000002750000-0x00000000028BE000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3012-144-0x0000000000400000-0x00000000007B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/4376-515-0x0000000000400000-0x00000000006B7000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4376-505-0x0000000000000000-mapping.dmp

    Download

  • memory/4376-1031-0x0000000000400000-0x00000000006B7000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4988-587-0x0000000002720000-0x000000000288E000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4988-585-0x0000000000400000-0x00000000006B7000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4988-514-0x0000000000000000-mapping.dmp

    Download

  • memory/4988-1032-0x0000000002720000-0x000000000288E000-memory.dmp

    Filesize

    1.4MB

    Download