Overview

overview

8

Static

static

8

6a50ec0f1b...91.exe

windows7-x64

8

6a50ec0f1b...91.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    246s
  • max time network
    260s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe

  • Size

    22KB

  • MD5

    ce17d920e84a8704c311f814ba980421

  • SHA1

    755c5beb7a15dd3a6d5eb6a5cf6f1326e3dcafa9

  • SHA256

    6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191

  • SHA512

    daee1137e0c510d848f9fb7ef0b81ad3bfc6399ee4d95ee33584409b2c6f3ac383b86258d36dde7e801c6af9cce6862050c5c6086e0125be3398d21bce7c722e

  • SSDEEP

    384:rIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZSuniaNJawcuQ:rRGuY2P0Vo6r7SiAwyrMRjbgKnbcuyDw

Score
8/10
evasionupx

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe
    "C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A74.tmp\encrypt.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
        3⤵
        • Views/modifies file attributes
        PID:2320
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
        3⤵
        • Views/modifies file attributes
        PID:1512
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
        3⤵
        • Views/modifies file attributes
        PID:1320
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
        3⤵
        • Views/modifies file attributes
        PID:4700
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3780
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3528
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2940
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3A74.tmp\encrypt.bat
    Filesize

    13KB

    MD5

    d57e330a794766ec0ff5c9d766f59519

    SHA1

    fa535aae290ad5b44f9a91eb001ad5e164d1f01c

    SHA256

    eed45a63e3b37916d9cf90fafe088022c14c701e844701e81688f4f0e8c19ace

    SHA512

    718e6eefa237edceb049aba6d3f598d0e326988edce8bddd09e3e5e36f22250676517d204b6a80e6bd91cd71ccfc830f60f4221ed3fc8c934b7ae9471431842f

    Download Submit
  • memory/1108-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1772-132-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1772-143-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/2320-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2940-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2956-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3528-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3780-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4700-138-0x0000000000000000-mapping.dmp
    Download