Overview

overview

8

Static

static

4ca13329fc...2c.exe

windows7-x64

8

4ca13329fc...2c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c.exe

  • Size

    44KB

  • MD5

    fbea056bcb2f77165de6c6f9e8dfe1b9

  • SHA1

    385d3986111e386a32e7d34582f34248350bebb2

  • SHA256

    4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c

  • SHA512

    49fbba188ff590fa8507754948396adae440a576d39d8cc63b9b75b9de9f189c31905b8b9df0aade92cf25901f8d65dfda2a54145532c84246fa1c07e465faba

  • SSDEEP

    768:fAvCfsktlq2lms72owT9lMTx4IDEL8fJhEKrSauzSxX7d:fxfsL25ZCCHoLyFSauk7d

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Program Files (x86)\Microsoft Ihuhuk\Wkowkyw.exe
      "C:\Program Files (x86)\Microsoft Ihuhuk\Wkowkyw.exe"
      2⤵
      • Executes dropped EXE
      PID:2436
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\6824.vbs"
      2⤵
        PID:3484

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\6824.vbs
      Filesize

      500B

      MD5

      08fc1264a95b4d5bf911f426f04be3cb

      SHA1

      680b4145bddf5fd5ae20abccafae6e9262fef937

      SHA256

      0e000912e4603bd9f822d0dfc707021823887b12f3574d2f19bdbdaf886aa97c

      SHA512

      be57c3709e9ba56657f41188553008a1bae70b1dbfb12ed1fa3b002db7ecf33a2fab15ca5486728e477e6455a7136bcc3c05e27746490419346595489b588713

      Download Submit
    • C:\Program Files (x86)\Microsoft Ihuhuk\Wkowkyw.exe
      Filesize

      44KB

      MD5

      fbea056bcb2f77165de6c6f9e8dfe1b9

      SHA1

      385d3986111e386a32e7d34582f34248350bebb2

      SHA256

      4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c

      SHA512

      49fbba188ff590fa8507754948396adae440a576d39d8cc63b9b75b9de9f189c31905b8b9df0aade92cf25901f8d65dfda2a54145532c84246fa1c07e465faba

      Download Submit
    • C:\Program Files (x86)\Microsoft Ihuhuk\Wkowkyw.exe
      Filesize

      44KB

      MD5

      fbea056bcb2f77165de6c6f9e8dfe1b9

      SHA1

      385d3986111e386a32e7d34582f34248350bebb2

      SHA256

      4ca13329fc435a35f52c5538081d13096d201b2f120626fc324241f09659722c

      SHA512

      49fbba188ff590fa8507754948396adae440a576d39d8cc63b9b75b9de9f189c31905b8b9df0aade92cf25901f8d65dfda2a54145532c84246fa1c07e465faba

      Download Submit
    • memory/2436-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3484-135-0x0000000000000000-mapping.dmp
      Download