Overview

overview

8

Static

static

4d10706f71...7a.exe

windows7-x64

7

4d10706f71...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    17s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe

  • Size

    42KB

  • MD5

    444072ec68d9dad8de5f9060c74e3b90

  • SHA1

    f3845470366d4ce52a18492f279e3a89ef25e485

  • SHA256

    4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a

  • SHA512

    52d3f0d91f60a0b28e4035be23d743fedcc233025548d3c063350d8cfb6d57d920377e71561ce0fbdf60cc96ca8d7d449878e68f9d513e5b04701ee9eddfa247

  • SSDEEP

    768:4Hfw7mQfGl0LapVukH8vRQ502qO5tLi9QyDGTUtGRbipTLZgRLSusE3:6g60G2FpQ502HjcGCZgou

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe
    "C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "MSango.bin"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:656
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "MSango.bin"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:568
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 1.bat
      2⤵
      • Deletes itself
      PID:548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.bat
    Filesize

    251B

    MD5

    375f11386030bf440c1058b8c43b8efe

    SHA1

    a417c674134155403da4240e487060739a0487a6

    SHA256

    a878487c1e39d76495de1bbdced349fe0e47373628a8969a36210f8f0adf62f8

    SHA512

    623c13cfe74c58e2435063c7bd171a31548a8b49d84789147e87e31198449e804d717f84b69669377d69d67237d44336dc7877e96ef2f08c13c053b8f7809ac7

    Download Submit
  • memory/548-58-0x0000000000000000-mapping.dmp
    Download
  • memory/568-57-0x0000000000000000-mapping.dmp
    Download
  • memory/656-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1724-55-0x0000000074D71000-0x0000000074D73000-memory.dmp
    Filesize

    8KB

    Download