Overview

overview

10

Static

static

be58937738...43.exe

windows7-x64

10

be58937738...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43.exe

  • Size

    388KB

  • MD5

    5675376d08c87c70f8b557280c8aae0e

  • SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

  • SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

  • SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

  • SSDEEP

    6144:UMbELf/MJ8cWdi5pV/JNWOVhMSvk/Ziuv:edOpNX1hjvt

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 9 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 42 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43.exe
    "C:\Users\Admin\AppData\Local\Temp\be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Program Files\Windows Common Files\Commgr.exe
        "C:\Program Files\Windows Common Files\Commgr.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3004
    • C:\Program Files\Windows Alerter\WinAlert.exe
      "C:\Program Files\Windows Alerter\WinAlert.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1160
    • C:\Program Files\Windows Alerter\WinAlert.exe
      "C:\Program Files\Windows Alerter\WinAlert.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
        "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3144
      • C:\Program Files\Windows Common Files\Commgr.exe
        "C:\Program Files\Windows Common Files\Commgr.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:1540
    • C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:496
    • C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3380

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    388KB

    MD5

    5675376d08c87c70f8b557280c8aae0e

    SHA1

    ff769308f1d70bb31274e33b7e80cd3a0f2d528a

    SHA256

    be5893773804f9097891372136300b701fe87b13218dc1042d919c6357e0fe43

    SHA512

    46b7ce14b28521adf8053813e95c2a7c34e29996fe0e69e1f4547426195fc8d4c8d6075181c293c3156a6a1ec2b41febd49a00807f06d8fff5b94548b3bd2078

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
    Filesize

    19KB

    MD5

    ace8523e76b4dc5d857476ba6c17fbb8

    SHA1

    9862def4e51253202ec693ec212835c81279b618

    SHA256

    9e39ebbf62c7062978f2a185ca0fa9272e4a91ee9ec18dd3f8815493d15a75b5

    SHA512

    7905a2f1956660065ec8a752e76e508a905787f9bd563cd1a14d671c1f0e7885c41c4cdbbeb4583aca3bcac5ffdd8a02c0a5b8e3ec17490783aa054e5bc8a929

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
    Filesize

    30KB

    MD5

    5b886cd54f82dfab4b823db5235a0320

    SHA1

    2deeffa56caa90afd2b4fca631885a2ecad18b64

    SHA256

    acac06afae183fa81346e761826c1aa163374dd165db65ae27f156d5692b55cc

    SHA512

    7019a9d64642bbd2646a12dde0a0b582ee49bd855e3765af6973ea97d1f03aa8d0c754e0d0251b60858aa5e0ff48fd88b55dd756d571a3f794c4d637ccd0a830

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
    Filesize

    9KB

    MD5

    6c27f5e59e6f6808ebe49f5899d95e52

    SHA1

    ba16a62a8acd251dcd8ef804997f350605ebbacc

    SHA256

    be6c1e0c6b5a868a3ed980a42cf7f2561acbc2f9fdf8aa339848026418bcc302

    SHA512

    ac3e557728494c510d50565a5187b12894cdd5e93aceca410e7507cd1c4d2dca06f2832a69b6b7a6ac590bb3b6bddef815a057347c257feed0183a84a7cece19

    Download Submit

  • memory/496-150-0x0000000000000000-mapping.dmp

    Download

  • memory/496-157-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/620-139-0x0000000000000000-mapping.dmp

    Download

  • memory/620-155-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1124-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1124-154-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1160-137-0x0000000000000000-mapping.dmp

    Download

  • memory/1160-153-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1540-164-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1540-159-0x0000000000000000-mapping.dmp

    Download

  • memory/3004-165-0x0000000000000000-mapping.dmp

    Download

  • memory/3004-168-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3144-158-0x0000000000000000-mapping.dmp

    Download

  • memory/3144-163-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3380-146-0x0000000000000000-mapping.dmp

    Download

  • memory/3380-152-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4660-135-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4660-169-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4856-156-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4856-138-0x0000000000000000-mapping.dmp

    Download