Overview

overview

10

Static

static

5

46df19038c...eb.exe

windows7-x64

10

46df19038c...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46df19038c6e96cae6ddd4e8f1f1889836a83d5cbacbd317208d0925259022eb.exe

  • Size

    612KB

  • MD5

    03a29f4c82106669691aab94b648db66

  • SHA1

    e33a8dbf43544e00fc06f934ed253dcc56442a65

  • SHA256

    46df19038c6e96cae6ddd4e8f1f1889836a83d5cbacbd317208d0925259022eb

  • SHA512

    a7fdbaf6de13cda9cdce7e9383d0264dcaa2eac538e6ce60e4f9fa4fec7375a76f1bc41fadc51f562456048cfdf4c9bf5e530e9f6d3a26eb86e8518a05faa937

  • SSDEEP

    12288:vaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQHSb:yadMv6CYrjqnyLQyb

Score
10/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46df19038c6e96cae6ddd4e8f1f1889836a83d5cbacbd317208d0925259022eb.exe
    "C:\Users\Admin\AppData\Local\Temp\46df19038c6e96cae6ddd4e8f1f1889836a83d5cbacbd317208d0925259022eb.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.jse"
      2⤵
      • Modifies system executable filetype association
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:212 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4492
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\46df19038c6e96cae6ddd4e8f1f1889836a83d5cbacbd317208d0925259022eb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 4 127.1
        3⤵
        • Runs ping.exe
        PID:2216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\monitor.jse
    Filesize

    7KB

    MD5

    102834feb6758b18cdf340a03b513378

    SHA1

    473af8cd9ec005ae4e720cf68bec53d81ee673fd

    SHA256

    cf780d1bbbb52a2b5d745751a2debca5e66b1a6a0d43a3a4123eaa432dbc7025

    SHA512

    80ec444cedb074d75802c4443db15ed3d51d33d6ad65fbd21745ffa3314c2e3a81145fa487223ab3b68186e2ac575522211cd587c766f02c133dd1c0f711956f

    Download Submit

  • C:\Users\Public\Desktop\Internet Explorer.lnk
    Filesize

    1KB

    MD5

    4fbd4f40fb1b7ff4a25086308d483537

    SHA1

    d07d92b6ac0c8df3d1f674782c556407f785b6bf

    SHA256

    f2407ebb1edcbe4455648f7c33e38fdfc6aac39ec0adec8a5d911725d3b89368

    SHA512

    5b61116a39fabc477ac253acea7429766816c4b5c5f447f6aa95921abb608d0b96804d1d3e9c2994f81f9c7b0471274020d3c5b5a34be12246bbe0161ca5fc8f

    Download Submit

  • memory/1116-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2216-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4772-135-0x0000000000000000-mapping.dmp

    Download