Overview

overview

8

Static

static

826c1aec0b...1d.exe

windows7-x64

8

826c1aec0b...1d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    206s
  • max time network
    223s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe

  • Size

    112KB

  • MD5

    c873bd40adeab42b477853bb62acacf0

  • SHA1

    286144bec4309fedd9276eb7dfde218eb39b87ef

  • SHA256

    826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

  • SHA512

    cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

  • SSDEEP

    1536:gL5v4jy+2tZOR6+K+gvg0vNZnknHOTuc5PYfiU+TEEn+IQSzohftO:g/g+vg0nnqOTuCPCiU+TEpSz4t

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe
    "C:\Users\Admin\AppData\Local\Temp\826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Cmbnqe.exe
      "C:\Cmbnqe.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\6702.vbs"
        3⤵
          PID:2280
    • C:\Windows\Terms.EXE
      C:\Windows\Terms.EXE
      1⤵
      • Executes dropped EXE
      PID:3644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\6702.vbs
      Filesize

      500B

      MD5

      479f9abf84c185f05b46221ebcf034ce

      SHA1

      f5747ec5a7078492b00414fe1e1b1ffd04b6ca8b

      SHA256

      ff0012d3e38cfeabef3704aa0343dcf5139c3a0adcee8c883e2f6e25d8251b69

      SHA512

      26be5fea9133a2c5ead1ad40143b25e389580ea02fb060931da4806daba40b05148259f78fdac75b40b000275a2a80159935a49279a79acdde97184785a7665a

      Download Submit

    • C:\Cmbnqe.exe
      Filesize

      112KB

      MD5

      c873bd40adeab42b477853bb62acacf0

      SHA1

      286144bec4309fedd9276eb7dfde218eb39b87ef

      SHA256

      826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

      SHA512

      cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

      Download Submit

    • C:\Cmbnqe.exe
      Filesize

      112KB

      MD5

      c873bd40adeab42b477853bb62acacf0

      SHA1

      286144bec4309fedd9276eb7dfde218eb39b87ef

      SHA256

      826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

      SHA512

      cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

      Download Submit

    • C:\Windows\Terms.EXE
      Filesize

      112KB

      MD5

      c873bd40adeab42b477853bb62acacf0

      SHA1

      286144bec4309fedd9276eb7dfde218eb39b87ef

      SHA256

      826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

      SHA512

      cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

      Download Submit

    • C:\Windows\Terms.EXE
      Filesize

      112KB

      MD5

      c873bd40adeab42b477853bb62acacf0

      SHA1

      286144bec4309fedd9276eb7dfde218eb39b87ef

      SHA256

      826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

      SHA512

      cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

      Download Submit