Overview

overview

8

Static

static

2b873cb1b8...a8.exe

windows7-x64

8

2b873cb1b8...a8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    201s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b873cb1b8eec5536a74c5ddab0472eff68cebf61757cbc317870b7192454ca8.exe

  • Size

    5.7MB

  • MD5

    f55559f66229a8cfb591e0bcaa54c109

  • SHA1

    17006709ee364b356e564a01fd70107c69691573

  • SHA256

    2b873cb1b8eec5536a74c5ddab0472eff68cebf61757cbc317870b7192454ca8

  • SHA512

    2ae90705029c37b3cead09d64cfd18bffb5507cd7def80b4a87a4f8759f205b4b9cbb86bfea090a71b98948b638c0ea35026da3925a5a5be082087791c3089de

  • SSDEEP

    98304:J2llez/udrnJll4dP5aSGie4udyO4Okjsstz8V8bHxLcIm:J2lUzYIoSGz4ud11/qiupm

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b873cb1b8eec5536a74c5ddab0472eff68cebf61757cbc317870b7192454ca8.exe
    "C:\Users\Admin\AppData\Local\Temp\2b873cb1b8eec5536a74c5ddab0472eff68cebf61757cbc317870b7192454ca8.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\WINDOWS\ÄæսĩÈÕ¸¨Öú.exe
      C:\WINDOWS\ÄæսĩÈÕ¸¨Öú.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.moriwg.net
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    a42abb21be3940a88a73771b18ed0f35

    SHA1

    de12f2f619852ef135ee726614c43c2033ec5743

    SHA256

    edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667

    SHA512

    c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    3f310b3c8e7421988801b40d7be46666

    SHA1

    e5ddaf1d23c899d69bb0412d1098c040b2cf84cf

    SHA256

    65f156a1bd559b3406153a8f7c8754685e048052953445bd5962223367e469eb

    SHA512

    7e6d7cfdc88682275154d213dcbf806c9c278382727c6ca22a7391ff1bdcc659139b550ccbc2b5078b1a06e80c09c2d82b264b6d347f356768c62d9e8901657b

    Download Submit
  • C:\WINDOWS\ÄæսĩÈÕ¸¨Öú.exe
    Filesize

    1.5MB

    MD5

    91c1583ee24aa5791e4cf2a54cf802d7

    SHA1

    b54d05d7be32a5595aa1fb1941cc77e3712a3013

    SHA256

    c30acd06f8aa69501b9ef174dd7ba0f32fde4f48a94a7b21e998a133280797d7

    SHA512

    7f9a46dab0fcf7deaeabef50689d834dacd650d83bcc6cbacb3e3b398c352d9499858e736f0342b2acae1ace6adcf7d9cd8624d4643930ec8d4d4eccbc778f77

    Download Submit
  • C:\Windows\ÄæսĩÈÕ¸¨Öú.exe
    Filesize

    1.5MB

    MD5

    91c1583ee24aa5791e4cf2a54cf802d7

    SHA1

    b54d05d7be32a5595aa1fb1941cc77e3712a3013

    SHA256

    c30acd06f8aa69501b9ef174dd7ba0f32fde4f48a94a7b21e998a133280797d7

    SHA512

    7f9a46dab0fcf7deaeabef50689d834dacd650d83bcc6cbacb3e3b398c352d9499858e736f0342b2acae1ace6adcf7d9cd8624d4643930ec8d4d4eccbc778f77

    Download Submit
  • memory/996-136-0x0000000076F00000-0x00000000770A0000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/996-1481-0x00000000028F0000-0x00000000029F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/996-1482-0x00000000028F0000-0x00000000029F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/996-137-0x0000000075DE0000-0x0000000075E5A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/996-132-0x0000000000400000-0x00000000009B5000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/996-1486-0x0000000000400000-0x00000000009B5000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/996-134-0x0000000075800000-0x0000000075A15000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/996-133-0x00000000776E0000-0x0000000077883000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4188-1483-0x0000000000000000-mapping.dmp
    Download