Overview

overview

8

Static

static

0882182756...5e.exe

windows7-x64

8

0882182756...5e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe

  • Size

    30KB

  • MD5

    afc2d30a50cdc6c710e92aac09daf1eb

  • SHA1

    6d5283fda926e5c0b9477ee7665eaf0b74fc9c09

  • SHA256

    0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e

  • SHA512

    3c82e5dbb073ef7481f0b1ce5966661f8a7c8538e7d38be3c9505edc41fce3ad34ed30c9f29ff26c480d2b87c06c90d0e57dde9ff5ab3b4a673c643842893cd3

  • SSDEEP

    384:Rx/s1q0xbI/nDTcmBH0FZcX7ckfwhNaBU5pArO1tFZIcqej9I1rj:Rx/s1qw+nDTjBH0jcXIAkE4mO1t70Pr

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe
    "C:\Users\Admin\AppData\Local\Temp\0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe url.dll,FileProtocolHandler C:\Windows\stub.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\stub.exe
        "C:\Windows\stub.exe"
        3⤵
        • Executes dropped EXE
        PID:2408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\stub.exe
    Filesize

    18KB

    MD5

    82b52cd57a1e4dc8f1629161d54aab7f

    SHA1

    a1a935e7e161bf0ed7bc2adbfcd4ef1620fe3c7d

    SHA256

    47db1bdf0cfa449fd5428f3e0ad9f9b5e4fca81791f2c2fc931be17ded9b07b6

    SHA512

    e796471f40270990debbb417c72b85e057b5a225fcb92cafd8d046f733e89c989a32f8a9e0328e193bae66488ddd3af819e3ee2ebdf0425ac1d6114516826523

    Download Submit

  • C:\Windows\stub.exe
    Filesize

    18KB

    MD5

    82b52cd57a1e4dc8f1629161d54aab7f

    SHA1

    a1a935e7e161bf0ed7bc2adbfcd4ef1620fe3c7d

    SHA256

    47db1bdf0cfa449fd5428f3e0ad9f9b5e4fca81791f2c2fc931be17ded9b07b6

    SHA512

    e796471f40270990debbb417c72b85e057b5a225fcb92cafd8d046f733e89c989a32f8a9e0328e193bae66488ddd3af819e3ee2ebdf0425ac1d6114516826523

    Download Submit

  • memory/816-135-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/816-137-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1628-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2408-138-0x0000000000000000-mapping.dmp

    Download