Overview

overview

10

Static

static

946d56aa46...dc.exe

windows7-x64

10

946d56aa46...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    946d56aa46be6b545ea92d8ce35190579d72b1f6165bc11a6c820ee5dc7d33dc.exe

  • Size

    326KB

  • MD5

    57c64912e6ce05cbb0550aab2dc9bed7

  • SHA1

    5026faead451e4324ed150f5ac874225626e551b

  • SHA256

    946d56aa46be6b545ea92d8ce35190579d72b1f6165bc11a6c820ee5dc7d33dc

  • SHA512

    0f4247b5de7e0b9ac1a78e82e4b27618e297d90c4a2782b34a64b1321ad6cfe3f3239710c07c9f58d4f00f1823f5cc1dd0d8628ed62f1706a8d255d44aa0cffe

  • SSDEEP

    6144:yz+92mhAMJ/cPl3iZM+OS/ku0SOfZcfVKYLXCeT6tZbQG/fuSuNUqBBJWphERnd:yK2mhAMJ/cPlL+OSsu0/hcfVKYLXCeTD

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\946d56aa46be6b545ea92d8ce35190579d72b1f6165bc11a6c820ee5dc7d33dc.exe
    "C:\Users\Admin\AppData\Local\Temp\946d56aa46be6b545ea92d8ce35190579d72b1f6165bc11a6c820ee5dc7d33dc.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\setup.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Local\Temp\installer.exe
        "C:\Users\Admin\AppData\Local\Temp\installer.exe" 2014.CCC
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Users\Admin\AppData\Roaming\Chromium.exe
          C:\Users\Admin\AppData\Roaming\Chromium.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2184
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN GoogleUpdateTaskMachineCore /F
            5⤵
              PID:1652
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Delete /TN GoogleUpdateTaskMachineUA /F
              5⤵
                PID:1944

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\installer.exe
        Filesize

        419KB

        MD5

        d8a118d85c961555d8cb852027a41b5f

        SHA1

        ec58e66c540bb3cf2e13df533d1c405735e1dee4

        SHA256

        b421dd6a12113baba95a4ad55b5c3583952f01b06b06706796da81cfdb4e066a

        SHA512

        c62bde771048af33d3abc907a391087d053193d42274edaa4c3112e5589ce93083249598d52681b16b09cccbdb85d83ba04dc8d34f2f3dc377aa04197315c537

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\installer.exe
        Filesize

        419KB

        MD5

        d8a118d85c961555d8cb852027a41b5f

        SHA1

        ec58e66c540bb3cf2e13df533d1c405735e1dee4

        SHA256

        b421dd6a12113baba95a4ad55b5c3583952f01b06b06706796da81cfdb4e066a

        SHA512

        c62bde771048af33d3abc907a391087d053193d42274edaa4c3112e5589ce93083249598d52681b16b09cccbdb85d83ba04dc8d34f2f3dc377aa04197315c537

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\setup.vbs
        Filesize

        58B

        MD5

        d0f82f0f532333cc394c3d65637a363c

        SHA1

        233b8003d2c178e470f6156b9d9c17cc49169b53

        SHA256

        c91fd6426ca8672e750d34ccf3cda0f36226427cff492fe9a4525a5e89202ec4

        SHA512

        65a82ef5474ac69038bef1660fa816ad1256d82cb5130b2401e272951f688506dba8f4fbda73799db0394c4950c7bf8b2278abd939e5b617fa2de50f6653f5ab

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Chromium.exe
        Filesize

        419KB

        MD5

        d8a118d85c961555d8cb852027a41b5f

        SHA1

        ec58e66c540bb3cf2e13df533d1c405735e1dee4

        SHA256

        b421dd6a12113baba95a4ad55b5c3583952f01b06b06706796da81cfdb4e066a

        SHA512

        c62bde771048af33d3abc907a391087d053193d42274edaa4c3112e5589ce93083249598d52681b16b09cccbdb85d83ba04dc8d34f2f3dc377aa04197315c537

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Chromium.exe
        Filesize

        419KB

        MD5

        d8a118d85c961555d8cb852027a41b5f

        SHA1

        ec58e66c540bb3cf2e13df533d1c405735e1dee4

        SHA256

        b421dd6a12113baba95a4ad55b5c3583952f01b06b06706796da81cfdb4e066a

        SHA512

        c62bde771048af33d3abc907a391087d053193d42274edaa4c3112e5589ce93083249598d52681b16b09cccbdb85d83ba04dc8d34f2f3dc377aa04197315c537

        Download Submit
      • memory/1392-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1652-140-0x0000000000000000-mapping.dmp
        Download
      • memory/1944-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2184-137-0x0000000000000000-mapping.dmp
        Download
      • memory/5056-132-0x0000000000000000-mapping.dmp
        Download