Overview

overview

8

Static

static

4eaac160bc...05.exe

windows7-x64

8

4eaac160bc...05.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    62s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105.exe

  • Size

    1.3MB

  • MD5

    6c34e066d7d4641690a4ee919ee30036

  • SHA1

    07bfb47a9c3adb044c3bdbb22e4413a4a2c68710

  • SHA256

    4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105

  • SHA512

    601298d91fd4429622a9f799a801d24961b4be8d4c1ac61a6c44bf7dcb2d76cffb0981c9bec5627792d351ebfa73ba89ebc1ea12c4a47be35fc36a2285dd2b62

  • SSDEEP

    24576:PQ9u98/1Xx+nuiSgGKTPFU21HYYajOaIvuonXW:+ITRdfeO97G

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105.exe
    "C:\Users\Admin\AppData\Local\Temp\4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "ECHO ! ERROR ! & echo.1 & echo. & echo.https://infinitycheats.me/download & echo. && PAUSE"
      2⤵
        PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\b482a262-96eb-4dfc-b553-b1cad325cc01.bat" "
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 1
          3⤵
          • Delays execution with timeout.exe
          PID:1080
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1256
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4eaac160bc7cacd6ba737410db279c87531532db8b084d66ad8244fc8dc85105.exe"
          3⤵
          • Views/modifies file attributes
          PID:2032
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\b482a262-96eb-4dfc-b553-b1cad325cc01.bat"
          3⤵
          • Views/modifies file attributes
          PID:1260
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1644
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x580
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\b482a262-96eb-4dfc-b553-b1cad325cc01.bat
      Filesize

      380B

      MD5

      fb544bb9852659214c2cfe4dccb519c0

      SHA1

      7ccf995756ffb997dbcb9e1ced9207be43a9cb8b

      SHA256

      30b272fc0e5036310ae1296f8aa06a09d849702bf07ac23ea8f8825c584b73b4

      SHA512

      fb149cf9806cfd02ca3ae261cfab36c3e774f766542f4141a015d268b581f0d9c48a06042faca5fdd36419c0334d454a2a005712fe2e20b76449d2f1cf6a90f3

      Download Submit
    • memory/1080-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1256-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1260-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1460-54-0x0000000004AD0000-0x0000000004B56000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1460-58-0x0000000075F81000-0x0000000075F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-59-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1876-60-0x0000000000000000-mapping.dmp
      Download
    • memory/2032-65-0x0000000000000000-mapping.dmp
      Download