Overview

overview

8

Static

static

0ad090ea42...0e.exe

windows7-x64

8

0ad090ea42...0e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    164s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe

  • Size

    2.4MB

  • MD5

    3cc08484a5832e084968697b3482500c

  • SHA1

    7c44cdba35af72cbd2f8a024192b251350ccb501

  • SHA256

    0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e

  • SHA512

    64cfc7a9a7bbceee98a272bc853f480e5784af2a84db6bb809829ad580b4bad99a45d38453fc867c1426913a83512dc6c01301e3eba6fe526ebfa33b51820c7f

  • SSDEEP

    49152:FstL1S9LWLl1hYRtUwSLOekVK7vObWhLzaBkiZoStBWGJoEr9KF:FstULm1hYtSCwObULGBhKE7rc

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
    "C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
      C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
      2⤵
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
        C:\Users\Admin\AppData\Local\Temp\0ad090ea42302cec5037dfe111014682cf0b72ae34c3c2d83d6705c59f170d0e.exe
        3⤵
        • Checks computer location settings
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
          4⤵
            PID:4200

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\teste.txt
      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\teste.vbs
      Filesize

      841B

      MD5

      615964e5ab63a70f0e205a476c48e356

      SHA1

      292620321db69d57ba23fa98d2a89484ddcf83d0

      SHA256

      38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

      SHA512

      69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

      Download Submit

    • memory/736-144-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/736-140-0x0000000000000000-mapping.dmp

      Download

    • memory/736-141-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/736-145-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/736-146-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/736-147-0x0000000000400000-0x0000000000A07000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3660-143-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3660-134-0x0000000000000000-mapping.dmp

      Download

    • memory/3660-138-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3660-135-0x0000000000400000-0x0000000000650000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4200-148-0x0000000000000000-mapping.dmp

      Download