Overview

overview

8

Static

static

023b8705df...ac.exe

windows7-x64

8

023b8705df...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    178s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    023b8705df4aa5e759a9e800a61e0f18f91286d2e826f2c741324e4b8ee6e3ac.exe

  • Size

    21KB

  • MD5

    570f20cf2b9043335d86584e61e42c20

  • SHA1

    3642acbce841b89682d6cc2872ac976923573f29

  • SHA256

    023b8705df4aa5e759a9e800a61e0f18f91286d2e826f2c741324e4b8ee6e3ac

  • SHA512

    c45c1ca589645bec8ba02584d9db50afc84fe77d877b9a2dfc0d518190a0ecd5163bf4b088a1abbd3c94de0b076541a2c3c82164d966e7d3f1d75c37d1c24bdc

  • SSDEEP

    384:Ax4eXupD27yKIJ9YurSVhM63M49HmU6aHgnk:sXuzKmOHnvgnk

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\023b8705df4aa5e759a9e800a61e0f18f91286d2e826f2c741324e4b8ee6e3ac.exe
    "C:\Users\Admin\AppData\Local\Temp\023b8705df4aa5e759a9e800a61e0f18f91286d2e826f2c741324e4b8ee6e3ac.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\henis.exe
      "C:\Users\Admin\AppData\Local\Temp\henis.exe"
      2⤵
      • Executes dropped EXE
      PID:2544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\henis.exe
    Filesize

    21KB

    MD5

    d6199b5eb0251b1ce614ff510d6ddd81

    SHA1

    df9f084dfa2f528541003c4ed5ad72a64c7e25d5

    SHA256

    05572a90723c35312b1eede19c8f79028babfa24a4058b9158cfd7803acb9b45

    SHA512

    29a3f9f223dbc2a960106d48e0f0cc920c2728bf706fc03ed30e17a2cd9f17227ebd2fbfadd9ba3cdd8b7e44f9b926f4a9731785dd8dc72ac9cadebe89eb0f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\henis.exe
    Filesize

    21KB

    MD5

    d6199b5eb0251b1ce614ff510d6ddd81

    SHA1

    df9f084dfa2f528541003c4ed5ad72a64c7e25d5

    SHA256

    05572a90723c35312b1eede19c8f79028babfa24a4058b9158cfd7803acb9b45

    SHA512

    29a3f9f223dbc2a960106d48e0f0cc920c2728bf706fc03ed30e17a2cd9f17227ebd2fbfadd9ba3cdd8b7e44f9b926f4a9731785dd8dc72ac9cadebe89eb0f82

    Download Submit

  • memory/2544-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2544-138-0x0000000000510000-0x0000000000518000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4984-132-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4984-133-0x0000000000490000-0x0000000000498000-memory.dmp

    Filesize

    32KB

    Download