Overview

overview

8

Static

static

381fa08a93...45.exe

windows7-x64

8

381fa08a93...45.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    183s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    381fa08a936f706f9425de8488fa05c6ae3a785aee3e80b5d431190d8c51bd45.exe

  • Size

    171KB

  • MD5

    5549061d2e7611b35d9e43a0f65852d2

  • SHA1

    3ba933bcd5b8fe00bac9bd744a21a726e01c0ddc

  • SHA256

    381fa08a936f706f9425de8488fa05c6ae3a785aee3e80b5d431190d8c51bd45

  • SHA512

    b8d50871863c5c8087591c6104ba5cc73c796e2e6600ea173bbfca92356204cca5aa5be4e057b3e05753410e47d0b27e8a9869c28cf91f62ca8087568c58b08c

  • SSDEEP

    3072:iBAp5XhKpN4eOyVTGfhEClj8jTk+0hGC4nJuQVCKTp6:xbXE9OiTGfhEClq9dCsTCKTE

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\381fa08a936f706f9425de8488fa05c6ae3a785aee3e80b5d431190d8c51bd45.exe
    "C:\Users\Admin\AppData\Local\Temp\381fa08a936f706f9425de8488fa05c6ae3a785aee3e80b5d431190d8c51bd45.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\1\2\sogazr.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:3648
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\1\2\daet.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2328
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\1\2\ekstaz.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\1\2\daet.vbs
    Filesize

    548B

    MD5

    23e1994afc048f22201e051d316c4ad5

    SHA1

    be5bf58340910e350bc312f063965279009e9ca2

    SHA256

    91a99c244d4b359e4ef52496c60e49be7b10026e0e3b5e44c53101f17c097913

    SHA512

    828da221179c02231069b5fa2b97532f006ee339a7c6c5fe8ef8fccecdf791561ce9f7aea66260d1592bc599812598fc2e02eaf62ba2b8193776666c674c30de

    Download Submit

  • C:\Program Files (x86)\1\2\ekstaz.vbs
    Filesize

    579B

    MD5

    398ac27a74bcdba86f2791c7da01ae9e

    SHA1

    7f6b22dda201daafdf12b34b62422d044c7de335

    SHA256

    02a747ad63dc0d1110b5d1a1b5ccd038e15081ac7f55ad80bbbe7c8ccb811628

    SHA512

    3b4bc4c793814d489ceb0276172c016048140f4c43385768bbea1c627909a28162e9266f31823b49a8204ebab70567049642697f6b1635c1b038552f54a7d4b7

    Download Submit

  • C:\Program Files (x86)\1\2\gam.txt
    Filesize

    1B

    MD5

    fc1262746424402278e88f6c1f02f581

    SHA1

    77ac341feebeb7c0a7ff8f9c6540531500693bac

    SHA256

    94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

    SHA512

    f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

    Download Submit

  • C:\Program Files (x86)\1\2\kids.txt
    Filesize

    5B

    MD5

    fa54236b51312560a33f74061da7c1a2

    SHA1

    d3a9987bae22aae745550850ac6fbe63b1f1baf8

    SHA256

    cd52b33f6f37c16d112057b4c1e256e785ff2f24e6653e4220427a06843be849

    SHA512

    686029033b58cf6e68dcf00ac5d921eda87db4191f68e6fde059071a0eb6342858f4ab650b33a628d292d918bfb454fbb9b9b6b3ff9807c573f2446ac482ecec

    Download Submit

  • C:\Program Files (x86)\1\2\sogazr.bat
    Filesize

    3KB

    MD5

    2aa3f4da1dc0a98c70866f66b63a3f97

    SHA1

    b26bb29f2fc16326b1ddee2df119f5c9231c8484

    SHA256

    6377a61e500c6930b979ca3837085c171539c9e7ac64a1d9ce4d6c0e5d6b0387

    SHA512

    9799808583da6030237e587370b93da72d7c486386d2167c8c2c02ecf733d052961e39f73666bf79a3fc5024f4c138b4c609a553c32088b8b6819b14635e850d

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    ec594855290bef0dab963e6c3da5e7f9

    SHA1

    f9f062f06b8869010902d40cfa40e89476292c8d

    SHA256

    ff770401f9ba83b76f6fb3f819ca5f47041c40e542e98a0837397c5d2bbb1c98

    SHA512

    adbf319675b6762d8d4804a56d3720f800564903a9e19feae11a4417ad0e99debf5e45e2a8c395e3106b2011efc5e7c7ef00047380b58b3f2139177f408f7446

    Download Submit

  • memory/2328-134-0x0000000000000000-mapping.dmp

    Download

  • memory/3648-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4964-135-0x0000000000000000-mapping.dmp

    Download