Overview

overview

8

Static

static

508e2231fe...18.exe

windows7-x64

8

508e2231fe...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2022, 00:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18.exe

  • Size

    234KB

  • MD5

    38b1c1b60b969c116ed8f05cbdf46610

  • SHA1

    10477ac94f70cb7abdd128c9c0f7d339adf65282

  • SHA256

    508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18

  • SHA512

    4bf5157e601d8f457a98478314663687f5b1c17591aceab7f34f762f8afd1bde134521e200d7eed5231262f6a7f75b663722fa89968702660c6ac586702125e7

  • SSDEEP

    3072:YXJ+KhZ1RcBEZAZ2MiaHMXhalr0fOeXAdWEuX/dvo:4VhZ1RQEO2MvH6hnkCXJ

Score
8/10
evasion

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18.exe
    "C:\Users\Admin\AppData\Local\Temp\508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18.exe
      C:\Users\Admin\AppData\Local\Temp\508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18.exe -SafeSys
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\SysWOW64\Rundll32.exe
        "C:\Windows\system32\Rundll32.exe" "C:\Program Files (x86)\rwlur.bak",MyDLLEntry
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:1328
    • C:\Program Files (x86)\Common Files\SafeSys.exe
      "C:\Program Files (x86)\Common Files\SafeSys.exe" SafeSys
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4028 -ip 4028
      1⤵
        PID:4544

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Common Files\SafeSys.exe
              Filesize

              234KB

              MD5

              38b1c1b60b969c116ed8f05cbdf46610

              SHA1

              10477ac94f70cb7abdd128c9c0f7d339adf65282

              SHA256

              508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18

              SHA512

              4bf5157e601d8f457a98478314663687f5b1c17591aceab7f34f762f8afd1bde134521e200d7eed5231262f6a7f75b663722fa89968702660c6ac586702125e7

              Download Submit

            • C:\Program Files (x86)\Common Files\SafeSys.exe
              Filesize

              234KB

              MD5

              38b1c1b60b969c116ed8f05cbdf46610

              SHA1

              10477ac94f70cb7abdd128c9c0f7d339adf65282

              SHA256

              508e2231feddc8d3429b345f5f85979ce3339351216c587fbc456e9d464b0c18

              SHA512

              4bf5157e601d8f457a98478314663687f5b1c17591aceab7f34f762f8afd1bde134521e200d7eed5231262f6a7f75b663722fa89968702660c6ac586702125e7

              Download Submit

            • C:\Program Files (x86)\rwlur.bak
              Filesize

              10KB

              MD5

              0a8d07ff358703bf65b83b09b7b78432

              SHA1

              2ad9134da8db9ce75489dcaed7ec8828b7ed0651

              SHA256

              93878bfdddfff8c1ad14af2bdae67a386d1bc8aac8ddb594c68898d90f5a0118

              SHA512

              3aa1dbe7016f856205d127e5ad29b723f80c7bd337419ab66d61e8cef2390cbe2df3418ca71a68ed88aa26e18551c2a94e532b5d7e36aa8fb4d7abb572856361

              Download Submit

            • C:\Program Files (x86)\rwlur.bak
              Filesize

              10KB

              MD5

              0a8d07ff358703bf65b83b09b7b78432

              SHA1

              2ad9134da8db9ce75489dcaed7ec8828b7ed0651

              SHA256

              93878bfdddfff8c1ad14af2bdae67a386d1bc8aac8ddb594c68898d90f5a0118

              SHA512

              3aa1dbe7016f856205d127e5ad29b723f80c7bd337419ab66d61e8cef2390cbe2df3418ca71a68ed88aa26e18551c2a94e532b5d7e36aa8fb4d7abb572856361

              Download Submit

            • memory/316-144-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/316-148-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/316-147-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/1328-138-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1328-139-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1684-140-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/1684-149-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/1684-132-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/4028-146-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/5012-134-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download