Overview

overview

8

Static

static

44c3e2c2d1...47.exe

windows7-x64

8

44c3e2c2d1...47.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    76s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c3e2c2d16f7c3dba2eec7581305a379d5e431a1e8df76d6e1c5542cd053647.exe

  • Size

    241KB

  • MD5

    294a9a5ca3fcfe7c87385a0c037842ad

  • SHA1

    11768025773247d57b118adeb2376c403c57f319

  • SHA256

    44c3e2c2d16f7c3dba2eec7581305a379d5e431a1e8df76d6e1c5542cd053647

  • SHA512

    c6043c41f58062e7f0c2bc2f6620e176331ba49575f3a98847fd1d3bb60005c77ee32c528fc03755174045c22c2df42817d0e9ac72e3fb68d75ab3e19318a616

  • SSDEEP

    6144:JZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876HvXnXCbW:XXmwRo+mv8QD4+0N46HvC6

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c3e2c2d16f7c3dba2eec7581305a379d5e431a1e8df76d6e1c5542cd053647.exe
    "C:\Users\Admin\AppData\Local\Temp\44c3e2c2d16f7c3dba2eec7581305a379d5e431a1e8df76d6e1c5542cd053647.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Program Files directory
      PID:2000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Gorn\Gorn\1.txt
    Filesize

    17B

    MD5

    48e37d904b91a73a3767a0f4f948ed16

    SHA1

    5eb2d7960a7b70d0ff35955f0c0dcc81f639af6d

    SHA256

    f78569e80a53f76b2dcc0f0d8176f5ff5d328897fa1ca90b439591efb36a065b

    SHA512

    69cc48359aa0024f73208d9ea70c06c0c981707d4964e197984ba07625f9c8c586385200d169c5ceb6dc7721bde1b190de7b1361726b32afa8409867b35ed8c5

    Download Submit

  • C:\Program Files (x86)\Gorn\Gorn\2.txt
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs
    Filesize

    266B

    MD5

    9bffbbce46f2d499c61f472d4aa048c8

    SHA1

    e2db4f2c5e936fa6830351e95a2382a4f7347cc0

    SHA256

    7f15c98537cbd942b4c1980fb1ad4cdda949e0f5c9c68695db12ba79846e4cb6

    SHA512

    ffed5fe064f1817ded6556bb241a9a69c43d550d3190eebc764dd81dbc68ccdb6b403424bebff71afddab7246260fd4a15d39f93c13f1b32ec2cedc90d41d430

    Download Submit

  • C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat
    Filesize

    1KB

    MD5

    c133d2e8f9188d0b4213523f05532c81

    SHA1

    42b849e14fbdd4e238c28e140d32a6712c0c6b7a

    SHA256

    b90c877582d041f1bd8f40c096686da8a7f132db2591bfe80e4c06ada673ee33

    SHA512

    c035dc0b75b8b5c78eb3f065a8d7c30fd45113ec3b3db58326aa867b5dd633d92216ab4898879c28410c92c4dd4d6ab7ae6df7ced6ded68e2149ee35dffd44bb

    Download Submit

  • memory/628-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1784-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-55-0x0000000000000000-mapping.dmp

    Download