Overview

overview

9

Static

static

9bc3304f8e...b0.exe

windows7-x64

9

9bc3304f8e...b0.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    187s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bc3304f8e8f352647fa84435b037a6bdfe06d9897cc339536b496f39e98beb0.exe

  • Size

    10.7MB

  • MD5

    a734962038e6c57ebc89cec0cbe74705

  • SHA1

    690db5bcac5732efb57cd523ae8c6197755b3a6d

  • SHA256

    9bc3304f8e8f352647fa84435b037a6bdfe06d9897cc339536b496f39e98beb0

  • SHA512

    2542d1d4d6286bb816d0084624ede82ee53f298022ffcee82536f32d4d52384b270422672b887641a9f7c8e72e1a22ffa32534e0f008b1e95e44aee3547a1a33

  • SSDEEP

    196608:D/BgW+jY1zaGCwCwo3WIvSOHnJGCwL3caee5vYPaqGa/srL5QmuUVPIOVmYZZQxU:Dpg24GCB3VHJGPDIavY4rFQSV/YlxVUN

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 5 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bc3304f8e8f352647fa84435b037a6bdfe06d9897cc339536b496f39e98beb0.exe
    "C:\Users\Admin\AppData\Local\Temp\9bc3304f8e8f352647fa84435b037a6bdfe06d9897cc339536b496f39e98beb0.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\GPInstall.exe
      "C:\Windows\GPInstall.exe" "/SOURCE=C:\Users\Admin\AppData\Local\Temp\9bc3304f8e8f352647fa84435b037a6bdfe06d9897cc339536b496f39e98beb0.exe" "/DATA=C:\Users\Admin\AppData\Local\Temp\GPI103D.tmp"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GPI103D.tmp
    Filesize

    385KB

    MD5

    7795886204927b42d4806cd802c267f2

    SHA1

    d120b25b4649ac84e6b23e5d3fb603c743ef5fae

    SHA256

    0c92e7c9759d9dc7a2c44bea2cbdca862c3b2ec19224e2cedf67188637a4d7d0

    SHA512

    3812b81d87a20b838643269241dc312571ab20a3675f24bbc41f6ee65e0d126b2e32b4561d19ba27cdb7a679de4d101a3828b8550c4368444ae5c8d275f8bfe9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jbiF61.tmp
    Filesize

    172KB

    MD5

    fe763c2d71419352141c77c310e600d2

    SHA1

    6bb51ebcbde9fe5556a74319b49bea37d5542d5e

    SHA256

    7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

    SHA512

    147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jbiF61.tmp
    Filesize

    172KB

    MD5

    fe763c2d71419352141c77c310e600d2

    SHA1

    6bb51ebcbde9fe5556a74319b49bea37d5542d5e

    SHA256

    7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

    SHA512

    147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jbiF61.tmp
    Filesize

    172KB

    MD5

    fe763c2d71419352141c77c310e600d2

    SHA1

    6bb51ebcbde9fe5556a74319b49bea37d5542d5e

    SHA256

    7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

    SHA512

    147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jbiF61.tmp
    Filesize

    172KB

    MD5

    fe763c2d71419352141c77c310e600d2

    SHA1

    6bb51ebcbde9fe5556a74319b49bea37d5542d5e

    SHA256

    7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

    SHA512

    147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jbiF61.tmp
    Filesize

    172KB

    MD5

    fe763c2d71419352141c77c310e600d2

    SHA1

    6bb51ebcbde9fe5556a74319b49bea37d5542d5e

    SHA256

    7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

    SHA512

    147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

    Download Submit
  • C:\Windows\GPInstall.exe
    Filesize

    754KB

    MD5

    632ee49303df4e83308dc350f07acc90

    SHA1

    8b2cfe2577f1530111def34f59b533c297b914e4

    SHA256

    ffa400dd5a9f381f219eedee47958770281ae95dcb4bb61339f73148539b5bba

    SHA512

    afc4776539b11c640874a57e9517a4314616ee37f4d63f2ddeab19b8cc11e75240845af2e5ec36518ee7a409449af42dfdf49daed02313a1b3d19004a5e27e68

    Download Submit
  • C:\Windows\GPInstall.exe
    Filesize

    754KB

    MD5

    632ee49303df4e83308dc350f07acc90

    SHA1

    8b2cfe2577f1530111def34f59b533c297b914e4

    SHA256

    ffa400dd5a9f381f219eedee47958770281ae95dcb4bb61339f73148539b5bba

    SHA512

    afc4776539b11c640874a57e9517a4314616ee37f4d63f2ddeab19b8cc11e75240845af2e5ec36518ee7a409449af42dfdf49daed02313a1b3d19004a5e27e68

    Download Submit
  • memory/1304-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1304-143-0x0000000002470000-0x00000000024E3000-memory.dmp
    Filesize

    460KB

    Download
  • memory/4092-135-0x0000000002090000-0x0000000002103000-memory.dmp
    Filesize

    460KB

    Download
  • memory/4092-134-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/4092-144-0x0000000002090000-0x0000000002103000-memory.dmp
    Filesize

    460KB

    Download