Overview

overview

8

Static

static

8

67e92f935f...b9.exe

windows7-x64

8

67e92f935f...b9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67e92f935f79f90ca3c281bbbec60ef22c61c20b1aafa40d80ad577969b151b9.exe

  • Size

    140KB

  • MD5

    aaa699762994c30347894ec414c40557

  • SHA1

    446f4af57fbe1545f07fdd112ffebb76322acc97

  • SHA256

    67e92f935f79f90ca3c281bbbec60ef22c61c20b1aafa40d80ad577969b151b9

  • SHA512

    526775953fdc35b4b7c5ccf5a83e66e4e463c6b5b6370777670dc54b61f415a19f2f8269ee877ad208b51d6cde9fdded6d1ec6f9038843a6f5de8d39742e58cb

  • SSDEEP

    3072:pb4s/l8iiDXiYukRy9Vd746gh4Z91gCBzTz4y3/UHj7Nzspl+fX:pB/l0Xi3uyJ7Mhy9dx3s3f

Score
8/10
persistencevmprotect

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67e92f935f79f90ca3c281bbbec60ef22c61c20b1aafa40d80ad577969b151b9.exe
    "C:\Users\Admin\AppData\Local\Temp\67e92f935f79f90ca3c281bbbec60ef22c61c20b1aafa40d80ad577969b151b9.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240578140.bat" "
      2⤵
        PID:4844
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k ipv6hlpr -s ipv6hlpr
      1⤵
      • Loads dropped DLL
      PID:2444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240578140.bat
      Filesize

      239B

      MD5

      fc5ef1c9b03a3bfa38e4945fef2b037c

      SHA1

      b12e015f5da8ab3ceafded74c90823524ba8cd9a

      SHA256

      74fb9b7c2f8dfae4d1e8eeb35f313419e1ea28dd670bf78149408a4ddbed713a

      SHA512

      3d4b588ff5d7fd393ccd7f5c0c79ed4808827873ed0c78ae8975760b759f28dba49765f1db83dbe3a85857bf1ab10711becdc39e8160e0d38c8da4a414c20b6c

      Download Submit

    • C:\Windows\ipv6hlpr.dll
      Filesize

      140KB

      MD5

      b4ac2f5c048b7a69b731eb6ae9a88860

      SHA1

      b7d59328727345085b103b599d4ad20455c3edff

      SHA256

      4000c2c1b533e39b1e4dd8d21235e9c0abf26e98c31095544b500b20e5794311

      SHA512

      e0b2029e900f2f4ac140ca5389fec7bbff293782f3f05e3a516a6c0cbbffe8fc0582706b5606108e1d82e43bf63bde78db3651781fb51cd29be5e35b853bea57

      Download Submit

    • \??\c:\windows\ipv6hlpr.dll
      Filesize

      140KB

      MD5

      b4ac2f5c048b7a69b731eb6ae9a88860

      SHA1

      b7d59328727345085b103b599d4ad20455c3edff

      SHA256

      4000c2c1b533e39b1e4dd8d21235e9c0abf26e98c31095544b500b20e5794311

      SHA512

      e0b2029e900f2f4ac140ca5389fec7bbff293782f3f05e3a516a6c0cbbffe8fc0582706b5606108e1d82e43bf63bde78db3651781fb51cd29be5e35b853bea57

      Download Submit

    • memory/536-132-0x0000000000E50000-0x0000000000E97000-memory.dmp

      Filesize

      284KB

      Download

    • memory/536-133-0x0000000000E50000-0x0000000000E97000-memory.dmp

      Filesize

      284KB

      Download

    • memory/536-138-0x0000000000E50000-0x0000000000E97000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2444-136-0x0000000074E10000-0x0000000074E57000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2444-137-0x0000000074E10000-0x0000000074E57000-memory.dmp

      Filesize

      284KB

      Download