Overview

overview

9

Static

static

1

d5123091b0...f1.exe

windows7-x64

9

d5123091b0...f1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    175s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1.exe

  • Size

    155KB

  • MD5

    e51e3d5711bb87b76d703e10c4bad01a

  • SHA1

    21410b5fe87e9c8394f535485cc92d00ae3b795a

  • SHA256

    d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1

  • SHA512

    32a4491e4f8c86dfb6e156f61440a8a7ba297ffb1b484ae3ab8766efb20b3b2a6d87ae35ece51dd4c781be1e5d2666d793e5eb8a74637b478b376a7fe2881b4a

  • SSDEEP

    3072:lM+9i7SFCIXJZtWrl7fZt0Jhko4hMlFuWUwwMzhUmjapUmDV5jnQDntiPmowOv:lMTCPsBNtI4hjrbEtjRm7jnAtQm98

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1.exe
    "C:\Users\Admin\AppData\Local\Temp\d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1.exe
      "C:\Users\Admin\AppData\Local\Temp\d5123091b0a772e949619e61a8bd5ee354d50bab994bb8d6c5bcaa9bc24fbef1.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nssF552.tmp\lechers.dll
    Filesize

    60KB

    MD5

    6a4a2054a2e8cc16e4f176784d987c19

    SHA1

    6e4dde3b946dd544b006cf3a5195aa4e7b787cb3

    SHA256

    5422a9df39a0127b73a37958f8c924624acbdfdb912073f2684c890cce6417e2

    SHA512

    91f3b3d1face7101de54a16e332aa00bf3d6458754925cca1190787539a617c40f47bb7f2feb003002efbb2a9d0d01dc0f0d825479696091ae5f4811eb801683

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nssF552.tmp\lechers.dll
    Filesize

    60KB

    MD5

    6a4a2054a2e8cc16e4f176784d987c19

    SHA1

    6e4dde3b946dd544b006cf3a5195aa4e7b787cb3

    SHA256

    5422a9df39a0127b73a37958f8c924624acbdfdb912073f2684c890cce6417e2

    SHA512

    91f3b3d1face7101de54a16e332aa00bf3d6458754925cca1190787539a617c40f47bb7f2feb003002efbb2a9d0d01dc0f0d825479696091ae5f4811eb801683

    Download Submit

  • memory/4908-136-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4908-138-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4908-139-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4908-140-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4936-134-0x00000000024C0000-0x00000000024D8000-memory.dmp

    Filesize

    96KB

    Download