Overview

overview

10

Static

static

4a1125f52e...c9.exe

windows7-x64

8

4a1125f52e...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1125f52eb460597d912fb581a078013e97c6d9515bcbf2f63a85603662b6c9.exe

  • Size

    101KB

  • MD5

    d48e3c2058035bc083d90bb7685fe09f

  • SHA1

    bd14f31338cacf23586c65d7ce35fe3fe7f5968a

  • SHA256

    4a1125f52eb460597d912fb581a078013e97c6d9515bcbf2f63a85603662b6c9

  • SHA512

    185fe4121a0c78bc21e3fe57f03b3bfd11d47ab4a86475015633668294bb4eb4a8beb9c89839e2b75433d4f327bcfe94596e89989fee442064a6d3bad783aef8

  • SSDEEP

    1536:9QxqcQu0XPmEmEcYUpEjCTfaAIW1EvqTlrxtPpFAXF9N/6Sy:y/03mEcppEjCTfaAIWSqTlrbPLEz4

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:580
    • C:\Users\Admin\AppData\Local\Temp\4a1125f52eb460597d912fb581a078013e97c6d9515bcbf2f63a85603662b6c9.exe
      "C:\Users\Admin\AppData\Local\Temp\4a1125f52eb460597d912fb581a078013e97c6d9515bcbf2f63a85603662b6c9.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\6ty31D.exe
        "C:\Users\Admin\AppData\Local\Temp\6ty31D.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Users\Admin\AppData\Local\Temp\6ty31D.exe
          "C:\Users\Admin\AppData\Local\Temp\6ty31D.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4712

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6ty31D.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6ty31D.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6ty31D.exe
      Filesize

      74KB

      MD5

      5b1a85d948bd7a075ebd0df2296ae9d5

      SHA1

      2b7cab4c68ca6c0fa28b360f9eb4673e7b075a24

      SHA256

      8cfb09392dd6cf7042c9aa9c98fbc9ef5969441d9cbf9d142fd5cbb9d70cd121

      SHA512

      46f05ba3117297faab0a7279d0791fd2e1daebcf9dbcbffaa17c2ee34ac3a68b4b8a40d4d73431a9da7e4a4c293aaf7a9f4bde2d4c93aa4f883c57fb6b2c0575

      Download Submit

    • memory/580-160-0x000000003AF00000-0x000000003AF26000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-205-0x000000003B0B0000-0x000000003B0D6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-165-0x000000003AF30000-0x000000003AF56000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-170-0x000000003AF60000-0x000000003AF86000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-240-0x000000003B200000-0x000000003B226000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-235-0x000000003B1D0000-0x000000003B1F6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-230-0x000000003B1A0000-0x000000003B1C6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-225-0x000000003B170000-0x000000003B196000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-220-0x000000003B140000-0x000000003B166000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-215-0x000000003B110000-0x000000003B136000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-210-0x000000003B0E0000-0x000000003B106000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-175-0x000000003AF90000-0x000000003AFB6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-200-0x000000003B080000-0x000000003B0A6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-195-0x000000003B050000-0x000000003B076000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-190-0x000000003B020000-0x000000003B046000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-245-0x000000003B230000-0x000000003B256000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-185-0x000000003AFF0000-0x000000003B016000-memory.dmp

      Filesize

      152KB

      Download

    • memory/580-180-0x000000003AFC0000-0x000000003AFE6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-148-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-139-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-150-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-149-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4712-147-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-144-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-146-0x0000000000410000-0x0000000000412000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4712-145-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-138-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-141-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4712-140-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4972-132-0x0000000000000000-mapping.dmp

      Download