Overview

overview

8

Static

static

7

a5534cb358...00.exe

windows7-x64

8

a5534cb358...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    163s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 23:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00.exe

  • Size

    165KB

  • MD5

    baa80e6f67617d3b1b278e9691c402dc

  • SHA1

    0f0dcdca17d3a2f9eab5ded65131f9d96ff0d3ab

  • SHA256

    a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00

  • SHA512

    24666b171737fd6a75ea0f00f80c1a9a5e97779b4d39c54f0161484064bf81eb95df9b808accc7a5d899d8f60962c186ae65d7b706cb1ce0f91a787e08ce5d86

  • SSDEEP

    3072:JoDqR9vK7ZktBOgC65uWhIwrXferssCfinalwd9nEp2Ivu9q/GlL4SGiJR:2XZktYu3r2YLqaqd9E1vuMIL/b

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00.exe
    "C:\Users\Admin\AppData\Local\Temp\a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\CMD.exe
      "CMD"
      2⤵
        PID:5020
      • C:\Windows\SysWOW64\CMD.exe
        "CMD"
        2⤵
          PID:4912
        • C:\Users\Admin\AppData\Local\Temp\a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00.exe
          "C:\Users\Admin\AppData\Local\Temp\a5534cb35856419b371eb205ab203d0ec56db0a6887feba7e2238e4cc6aabb00.exe"
          2⤵
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4312
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            3⤵
            • Adds policy Run key to start application
            • Drops file in Program Files directory
            PID:4700
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          2⤵
            PID:5108
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            2⤵
              PID:4500
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              2⤵
                PID:4604
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                2⤵
                  PID:1068
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  2⤵
                    PID:4980
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    2⤵
                      PID:644

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/4208-133-0x00000000751C0000-0x0000000075771000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/4208-134-0x0000000001080000-0x0000000001085000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/4208-148-0x00000000751C0000-0x0000000075771000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/4208-132-0x00000000751C0000-0x0000000075771000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/4312-138-0x0000000000400000-0x0000000000405000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/4700-140-0x0000000000670000-0x000000000067E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/4700-141-0x00000000006E0000-0x00000000006E5000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/4700-149-0x00000000006E0000-0x00000000006E5000-memory.dmp

                          Filesize

                          20KB

                          Download