Overview

overview

8

Static

static

b4111cb85a...45.exe

windows7-x64

8

b4111cb85a...45.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 10:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45.exe

  • Size

    409KB

  • MD5

    af43ff0e4c16762848f8806128656f36

  • SHA1

    311b8bdc6e3ac0ac9c1cf42aa1b4927cfcf0a192

  • SHA256

    b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45

  • SHA512

    d3d997c77b448ca4b5528b952695f04605fe2c89396850ca36f727346b4bdd4a6191f4eebabd88e9b2d35d23f491007a4a7b9c297a69b0322a620e738974e948

  • SSDEEP

    6144:kyMy3+RmJQjngSvzxTQH5UKT7Q4LE/MN1KtySkuEkfYH94YqfOkFKmhnAW:kiOQJoFzmZUc7Q5+1KxYH0frHN

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45.exe
    "C:\Users\Admin\AppData\Local\Temp\b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1048

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
          Filesize

          409KB

          MD5

          af43ff0e4c16762848f8806128656f36

          SHA1

          311b8bdc6e3ac0ac9c1cf42aa1b4927cfcf0a192

          SHA256

          b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45

          SHA512

          d3d997c77b448ca4b5528b952695f04605fe2c89396850ca36f727346b4bdd4a6191f4eebabd88e9b2d35d23f491007a4a7b9c297a69b0322a620e738974e948

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
          Filesize

          409KB

          MD5

          af43ff0e4c16762848f8806128656f36

          SHA1

          311b8bdc6e3ac0ac9c1cf42aa1b4927cfcf0a192

          SHA256

          b4111cb85a0640cb3aceabd03cfdc6f4fd696467ccc38ae2ffefc2e61ff05a45

          SHA512

          d3d997c77b448ca4b5528b952695f04605fe2c89396850ca36f727346b4bdd4a6191f4eebabd88e9b2d35d23f491007a4a7b9c297a69b0322a620e738974e948

          Download Submit

        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch
          Filesize

          980B

          MD5

          99c05a6553b98b8006e92e9f57c8d0e6

          SHA1

          74076eca3ee5b191b8f85eec8b0d72fc2f3c83eb

          SHA256

          0fb6476faf5a04f2068397076194c3b577255e9a5028cb23e93d192ba4b7da15

          SHA512

          437159ea265f1e1c3986b4a8234d8bfa71371ab13299db9441cc0e0a7925328547a6ff97ef545bf3237bae2ce0db3779dc15a6f3701530a262b81e066818fd32

          Download Submit

        • memory/1144-132-0x00007FF8B2550000-0x00007FF8B2F86000-memory.dmp

          Filesize

          10.2MB

          Download

        • memory/4744-137-0x00007FF8B2550000-0x00007FF8B2F86000-memory.dmp

          Filesize

          10.2MB

          Download