Overview

overview

8

Static

static

3f22afde39...0e.exe

windows7-x64

8

3f22afde39...0e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    192s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e.exe

  • Size

    182KB

  • MD5

    383ada6f86495557fbc91408892c8509

  • SHA1

    bd13d00dc26ae8b99791439523c8742ef632c75a

  • SHA256

    3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e

  • SHA512

    792b0ecf72cc9960decf7596b63579d229384f02450f69c2dc4561cb02540368473a9e48562623f41b4d233b2f60ac849a0dfd1f566df52909c0f5ce299bcf21

  • SSDEEP

    3072:OGjQzU0Ay7Tmxu39uwQwtS9SDQSsFNacO/RBTaM3bqhrtiPVf0vvg:OGEZAy/OTcU9SDDsFNa9fTaybqJtiP+X

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e.exe
    "C:\Users\Admin\AppData\Local\Temp\3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\win64.exe
      "C:\Users\Admin\AppData\Local\Temp\win64.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\win64.exe" "win64.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\win64.exe
    Filesize

    182KB

    MD5

    383ada6f86495557fbc91408892c8509

    SHA1

    bd13d00dc26ae8b99791439523c8742ef632c75a

    SHA256

    3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e

    SHA512

    792b0ecf72cc9960decf7596b63579d229384f02450f69c2dc4561cb02540368473a9e48562623f41b4d233b2f60ac849a0dfd1f566df52909c0f5ce299bcf21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\win64.exe
    Filesize

    182KB

    MD5

    383ada6f86495557fbc91408892c8509

    SHA1

    bd13d00dc26ae8b99791439523c8742ef632c75a

    SHA256

    3f22afde396cac4a6b7394f11a6abc18777c40287e9cca2b4faad1ddeeaf410e

    SHA512

    792b0ecf72cc9960decf7596b63579d229384f02450f69c2dc4561cb02540368473a9e48562623f41b4d233b2f60ac849a0dfd1f566df52909c0f5ce299bcf21

    Download Submit

  • memory/960-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4668-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4668-137-0x0000000074710000-0x0000000074CC1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4668-139-0x0000000074710000-0x0000000074CC1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4776-132-0x0000000074710000-0x0000000074CC1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4776-136-0x0000000074710000-0x0000000074CC1000-memory.dmp

    Filesize

    5.7MB

    Download