Overview

overview

8

Static

static

b62fac0d96...25.exe

windows7-x64

8

b62fac0d96...25.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725.exe

  • Size

    422KB

  • MD5

    554c3f24b05707d2b19bf38507598d76

  • SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

  • SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

  • SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

  • SSDEEP

    6144:T+jJxTnGqaR6rlsG6LbrVSlKR85hIp81G5NQu604EPyl3VQdF02nPVllvjAfTIj:EJMNorlsG6ZR8Z6NZylwFpPVl2Ij

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725.exe
    "C:\Users\Admin\AppData\Local\Temp\b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725.exe"
    1⤵
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Intel" /t REG_SZ /d "C:\ProgramData\Intel.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Intel" /t REG_SZ /d "C:\ProgramData\Intel.exe"
        3⤵
        • Adds Run key to start application
        PID:1784
    • C:\ProgramData\Intel.exe
      C:\ProgramData\Intel.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\ProgramData\Intel.exe
        "C:\ProgramData\Intel.exe"
        3⤵
        • Executes dropped EXE
        PID:1212
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 792
        3⤵
        • Loads dropped DLL
        PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • C:\ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • C:\ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • \ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • \ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • \ProgramData\Intel.exe
    Filesize

    422KB

    MD5

    554c3f24b05707d2b19bf38507598d76

    SHA1

    d97f51df068df55952aa8c04262bebcad9854d11

    SHA256

    b62fac0d96da7a95beed52c8fea432ab3308fd714209cf50f1123867a4e03725

    SHA512

    7c7c952285de0f8c57c6a87abec26936dadc7abf5263b783c4ac6135d7a18f4dfa42fc05aaf5ad0b791f2e741016496e22201e751e532eb55a0f113fd92e9328

    Download Submit
  • memory/332-61-0x0000000000000000-mapping.dmp
    Download
  • memory/332-80-0x0000000074500000-0x0000000074AAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/332-79-0x0000000074500000-0x0000000074AAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1212-73-0x0000000000401F8F-mapping.dmp
    Download
  • memory/1212-66-0x0000000000070000-0x0000000000087000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1212-67-0x0000000000070000-0x0000000000087000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1212-71-0x0000000000070000-0x0000000000087000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1212-69-0x0000000000070000-0x0000000000087000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1212-75-0x0000000000070000-0x0000000000087000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1224-65-0x0000000074500000-0x0000000074AAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1224-55-0x0000000074500000-0x0000000074AAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1224-56-0x0000000074500000-0x0000000074AAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1740-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-58-0x0000000000000000-mapping.dmp
    Download