Overview

overview

8

Static

static

b7e4c87489...4c.exe

windows7-x64

8

b7e4c87489...4c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7e4c87489f46e18e7e9142004f7869f5a913ee3facbf7d9f72edd392d4ad14c.exe

  • Size

    164KB

  • MD5

    59c60fef8a492bd46ce35eaa55caf7e1

  • SHA1

    d2fd117798a2f176333e3a00cf3dd513453c6f0f

  • SHA256

    b7e4c87489f46e18e7e9142004f7869f5a913ee3facbf7d9f72edd392d4ad14c

  • SHA512

    ab5c7aab9e76bf714d508d94f6c1255746a5f7802749ebf82633fb2a64559a7184565472f2e2117322f671fa4a8fe71e4259d6c114cacaa1de006edb68a90891

  • SSDEEP

    3072:KwxVMhOC/dTWbq91+mno3t4QZQ3rfgJkexN2hxbSZ0h0zGKu5or4EF:KTfFWbRnOTrfgJNX2HmZ0h067EF

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7e4c87489f46e18e7e9142004f7869f5a913ee3facbf7d9f72edd392d4ad14c.exe
    "C:\Users\Admin\AppData\Local\Temp\b7e4c87489f46e18e7e9142004f7869f5a913ee3facbf7d9f72edd392d4ad14c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\WINDOWS\dyulty\1.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\WINDOWS\dyulty\2.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\attrib.exe
            attrib +a +s +h C:\WINDOWS\dyulty
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:4052
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s 12.reg
            5⤵
            • Adds policy Run key to start application
            • Runs .reg file with regedit
            PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    Filesize

    103KB

    MD5

    ec0dee6d14a7d0ba41448c14db624577

    SHA1

    bfeb8a15b61e0b9741d933382a788b998ff48c79

    SHA256

    24dc97b14198f1d9faf3f55060434104c5dda8f1ad63cab2e204529b0cff0da2

    SHA512

    fe63afdc4ff9600951502be228f6ea858ddcf75a23bfd16ed117a8f3bdde79d5891a2d64b1e50f6f3a239d48a878e43b79ae8f88d47fcaf5aeb268304827d2fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    Filesize

    103KB

    MD5

    ec0dee6d14a7d0ba41448c14db624577

    SHA1

    bfeb8a15b61e0b9741d933382a788b998ff48c79

    SHA256

    24dc97b14198f1d9faf3f55060434104c5dda8f1ad63cab2e204529b0cff0da2

    SHA512

    fe63afdc4ff9600951502be228f6ea858ddcf75a23bfd16ed117a8f3bdde79d5891a2d64b1e50f6f3a239d48a878e43b79ae8f88d47fcaf5aeb268304827d2fb

    Download Submit

  • C:\WINDOWS\dyulty\1.vbe
    Filesize

    291B

    MD5

    5f2daf849a3163a79ab910738a6432db

    SHA1

    6dfd12d79f341b47cb18b5e0f1df444c184b240e

    SHA256

    d59fdb75abf811ea7f8e651cf8b357564da2b1bf02ee29ee3f702ae34d98e987

    SHA512

    e5773ee7981721b83e63a49625cb70178fc59836db0ecf4ed39891485ec766f1269ce672ef4e42a304451c48fe51b601b5208f6481031934fa30f2030261a471

    Download Submit

  • C:\WINDOWS\dyulty\12.reg
    Filesize

    348B

    MD5

    08f352809a5789cf3f3ec87aada7c45c

    SHA1

    ebf7d5ea10a868e9ab6fb9db7ba3258aaefad747

    SHA256

    69f3000983d5560b5aab573328cbab4767b34d78b7492a6e14b45974556f3f4b

    SHA512

    d61c70ceb2b1642a2107f0f19e37c18da75bba847a1378bede7d200e80c97e7474b0b0d8ed070f2f094ae2e653aebdce4b57adf73a691cba0220801b743e1012

    Download Submit

  • C:\WINDOWS\dyulty\2.bat
    Filesize

    80B

    MD5

    3264d564674f4d725f56869438132b00

    SHA1

    6e5e704834e8916b4a3db2a34139e76ea645ef5a

    SHA256

    a9728694ee9c6d96560d9dd5c4861d77b332c6892f2eff7a127a628120d08b79

    SHA512

    e00a36cfe9ed5c11e8e072ec8f78a0faadbc3c71fb398f552e78f176c6ad13ba0c332f0a422f86569b308dc633d8a439f898837b6b31e593c536c2d59bfca6ef

    Download Submit

  • memory/1752-132-0x0000000000000000-mapping.dmp

    Download

  • memory/1760-140-0x0000000000000000-mapping.dmp

    Download

  • memory/2316-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4004-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4052-139-0x0000000000000000-mapping.dmp

    Download