Overview

overview

8

Static

static

cc97aa8416...db.exe

windows7-x64

8

cc97aa8416...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    126s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe

  • Size

    280KB

  • MD5

    30b9b7aa26d3a07242d2e6ce9e95f77b

  • SHA1

    fb3e290ec9eb4efcc5c644251817d42172baed66

  • SHA256

    cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db

  • SHA512

    b1155f38f209be6fd732843c5982d8503110d28fbda780f907a0eac7fbf36194f6ffb0f82cba0eb7ac61416f829e61583920c67b0d2c84bd71f7d67b60306a26

  • SSDEEP

    6144:hbtF3Dcrpj3Y6Dxg3gK7+X/7xdgPBT//h:hbsx1x6RSxU/h

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe
    "C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe
      "C:\Users\Admin\AppData\Local\Temp\cc97aa8416d4afbf132cb2f5f94cb3ae671093314325f269c7363e14f85193db.exe"
      2⤵
      • Sets file execution options in registry
      • Checks for any installed AV software in registry
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x641707DE" /TR "C:\ProgramData\iexplorer\ctdimlhze.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1944
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\SysWOW64\WerFault.exe"
        3⤵
          PID:1016

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/588-64-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/588-67-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/588-59-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-61-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-62-0x00000000002B0000-0x00000000002FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/588-63-0x0000000075891000-0x0000000075893000-memory.dmp

      Filesize

      8KB

      Download

    • memory/588-56-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-65-0x00000000003B0000-0x00000000003BB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1016-69-0x0000000076F30000-0x00000000770B1000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1016-70-0x0000000000200000-0x0000000000294000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1016-71-0x0000000076F30000-0x00000000770B1000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1016-72-0x0000000000200000-0x0000000000294000-memory.dmp

      Filesize

      592KB

      Download