Overview

overview

8

Static

static

795637a924...da.exe

windows7-x64

8

795637a924...da.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    75s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    795637a92431574d95290ca7109587149309b061a952ff2b153da0fda343e6da.exe

  • Size

    2.0MB

  • MD5

    39fce4ee5499bb517b397573898e1af9

  • SHA1

    074eed3d2bbc3559b76069770abb5f3c730ee3d2

  • SHA256

    795637a92431574d95290ca7109587149309b061a952ff2b153da0fda343e6da

  • SHA512

    3a07e26bb09cc3df320f2bb6a419d022e71a6bda2a3f9a33efdc9b83aec00317054e191411bc99883a308640f69e0a0beee31f2747446967553c35129e27932f

  • SSDEEP

    24576:W2KrlpxUxHoFhp/S1AWmQO18C2BwfTs6T22CKRJqNE4u6FOcnDsHspz8vlX9xRB0:WTDxB8CWwfTX3clnBowjh7

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\795637a92431574d95290ca7109587149309b061a952ff2b153da0fda343e6da.exe
    "C:\Users\Admin\AppData\Local\Temp\795637a92431574d95290ca7109587149309b061a952ff2b153da0fda343e6da.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Enumerates connected drives
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop Spooler
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SysWOW64\net.exe
        net stop Spooler
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop Spooler
          4⤵
            PID:4868
      • C:\Windows\SysWOW64\tcpsvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\795637a92431574d95290ca7109587149309b061a952ff2b153da0fda343e6da2.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1044
          3⤵
          • Program crash
          PID:3324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1020
            4⤵
            • Program crash
            PID:2120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1044
          3⤵
          • Program crash
          PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net start Spooler
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\SysWOW64\net.exe
          net start Spooler
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1984
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start Spooler
            4⤵
              PID:3440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4760 -ip 4760
        1⤵
          PID:1396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3324 -ip 3324
          1⤵
            PID:4788
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3324 -ip 3324
            1⤵
              PID:4252
            • C:\Windows\System32\spoolsv.exe
              C:\Windows\System32\spoolsv.exe
              1⤵
                PID:2540

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1616-135-0x0000000004140000-0x0000000004241000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1616-136-0x000000007FE40000-0x000000007FE49000-memory.dmp

                Filesize

                36KB

                Download

              • memory/1616-309-0x0000000004140000-0x0000000004241000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1984-452-0x0000000000000000-mapping.dmp

                Download

              • memory/3324-311-0x0000000000000000-mapping.dmp

                Download

              • memory/3324-365-0x0000000010000000-0x0000000010101000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3324-450-0x0000000010000000-0x0000000010101000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3440-453-0x0000000000000000-mapping.dmp

                Download

              • memory/3724-132-0x0000000000000000-mapping.dmp

                Download

              • memory/4760-174-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-180-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-153-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-154-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-156-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-155-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-157-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-158-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-159-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-160-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-161-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-162-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-163-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-165-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-166-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-164-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-167-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-168-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-170-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-169-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-173-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-172-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-171-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-149-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-175-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-176-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-177-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-178-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-179-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-152-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-181-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-182-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-183-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-184-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-185-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-187-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-186-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-189-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-188-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-190-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-191-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-192-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-193-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-194-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-195-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-196-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-197-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-198-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-199-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-200-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-146-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-201-0x000000007FDF0000-0x000000007FDF6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4760-310-0x0000000010000000-0x0000000010101000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4760-144-0x0000000000000000-mapping.dmp

                Download

              • memory/4760-145-0x0000000010000000-0x0000000010101000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4784-133-0x0000000000000000-mapping.dmp

                Download

              • memory/4868-134-0x0000000000000000-mapping.dmp

                Download

              • memory/5092-451-0x0000000000000000-mapping.dmp

                Download