Overview

overview

8

Static

static

5

1239b8f51a...ee.exe

windows7-x64

8

1239b8f51a...ee.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe

  • Size

    1.1MB

  • MD5

    02daff1e68eb29b7f4bbf6cf8254478a

  • SHA1

    5a61f408b0e6a04f30735f7aa62f023781d6a6aa

  • SHA256

    1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

  • SHA512

    87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

  • SSDEEP

    24576:m4lavt0LkLL9IMixoEgeahTPUQO7LbWp/Mq9MmCS:xkwkn9IMHeaxPOTWpkaPCS

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
    "C:\Users\Admin\AppData\Local\Temp\1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\movie.exe
      "C:\Users\Admin\AppData\Roaming\movie.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 0127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\scratch.bat
    Filesize

    317B

    MD5

    290e6421f725ebe199c949e3760586f7

    SHA1

    2dc22f43ebd7d35b41198b8553d03645bc4f5c94

    SHA256

    5aeb23fa1135cd110438674f3c666436a2e9055e4b3d2b23bbf7ed7acf5c2408

    SHA512

    28431a28ce0f16a8135ecec8bcaa51951c605516b389aa5eddd8237c20b79faf40fc388ddbf7083f076ea758616ce41177ea1ba86a5969a8c9e32e40b699b455

    Download Submit

  • C:\Users\Admin\AppData\Roaming\movie.exe
    Filesize

    1.1MB

    MD5

    02daff1e68eb29b7f4bbf6cf8254478a

    SHA1

    5a61f408b0e6a04f30735f7aa62f023781d6a6aa

    SHA256

    1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

    SHA512

    87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\movie.exe
    Filesize

    1.1MB

    MD5

    02daff1e68eb29b7f4bbf6cf8254478a

    SHA1

    5a61f408b0e6a04f30735f7aa62f023781d6a6aa

    SHA256

    1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

    SHA512

    87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

    Download Submit

  • memory/2440-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3340-137-0x0000000000000000-mapping.dmp

    Download

  • memory/3988-135-0x0000000000000000-mapping.dmp

    Download