Overview

overview

10

Static

static

654fb375b7...ae.exe

windows7-x64

8

654fb375b7...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 10:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae.exe

  • Size

    363KB

  • MD5

    bd6ef7a2a1fb944e6f00bac58f022014

  • SHA1

    f8d86fccd8111b75c1ab6f21139f6d4f92bf0a60

  • SHA256

    654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae

  • SHA512

    0374e99bfcfbc6b20224b93e6d80d4f27fbb85976589242d5e2369f0087be942e05ae03ff5320707af97fceb0092d08d3caf241bc6004e13d6261ea7b49574ab

  • SSDEEP

    3072:eNt/xAxJUJ9aS85+GxQkYRuKJJJJJJKJJJJJJJJJhnArCoc3FTCxZCJJN:eN/6D+mQkTef

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae.exe
    "C:\Users\Admin\AppData\Local\Temp\654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\ProgramData\%TEMP%.exe
      "C:\ProgramData\%TEMP%.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\%TEMP%.exe" "%TEMP%.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1228

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\%TEMP%.exe
          Filesize

          363KB

          MD5

          bd6ef7a2a1fb944e6f00bac58f022014

          SHA1

          f8d86fccd8111b75c1ab6f21139f6d4f92bf0a60

          SHA256

          654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae

          SHA512

          0374e99bfcfbc6b20224b93e6d80d4f27fbb85976589242d5e2369f0087be942e05ae03ff5320707af97fceb0092d08d3caf241bc6004e13d6261ea7b49574ab

          Download Submit

        • C:\ProgramData\%TEMP%.exe
          Filesize

          363KB

          MD5

          bd6ef7a2a1fb944e6f00bac58f022014

          SHA1

          f8d86fccd8111b75c1ab6f21139f6d4f92bf0a60

          SHA256

          654fb375b77fdf664901f3e4816c2a392b9f26efb7d31b20040077705d6e84ae

          SHA512

          0374e99bfcfbc6b20224b93e6d80d4f27fbb85976589242d5e2369f0087be942e05ae03ff5320707af97fceb0092d08d3caf241bc6004e13d6261ea7b49574ab

          Download Submit

        • memory/688-63-0x0000000000A66000-0x0000000000A85000-memory.dmp

          Filesize

          124KB

          Download

        • memory/688-61-0x000007FEF4070000-0x000007FEF4A93000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/688-62-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/688-66-0x0000000000A66000-0x0000000000A85000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1228-65-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1440-56-0x0000000002006000-0x0000000002025000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1440-55-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1440-60-0x0000000002006000-0x0000000002025000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1440-54-0x000007FEF4070000-0x000007FEF4A93000-memory.dmp

          Filesize

          10.1MB

          Download