Overview

overview

10

Static

static

caa697dcf3...5d.exe

windows7-x64

10

caa697dcf3...5d.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    153s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe

  • Size

    1.6MB

  • MD5

    2b7823f86268bfb968865907ce46750a

  • SHA1

    e5fdbeed91bc034728ddd79807fd0c5cce10df6b

  • SHA256

    caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d

  • SHA512

    bcfedf113c2008a1de006043c6dd4d9fd63be71a18bbb5709e73607693083a668e9b9c81c7a93064f054eafa9b4b6add28ff4c35203500feb2afb94c6280a0c5

  • SSDEEP

    24576:72O/GlKfj2BeJbXJAdVutylJJmAdCDD0/ARLPCs8KrM3bD4d7g6zwm4m53Sb23:X9JautylSAdK0/ARLq7bDQ5kFm53Sy3

Score
9/10
evasionpersistencetrojan

Malware Config

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe
    "C:\Users\Admin\AppData\Local\Temp\caa697dcf338eec92ba2c1bddd242c659650cb161f47c1c239806d171e16ce5d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\d2vkfr8\acrob32.exe
      "C:\Users\Admin\d2vkfr8\acrob32.exe" tolmkgbamw
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
          PID:4408

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\d2vkfr8\acrob32.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\d2vkfr8\acrob32.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit
    • C:\Users\Admin\d2vkfr8\arrgfr.PTT
      Filesize

      84B

      MD5

      05b3d58b2ea16dd9083e3a10787c6563

      SHA1

      1535f36c16d8346cdae641600167272167250db9

      SHA256

      d608f03ca15c996a4dc6ca0c5706acb5b61986ee8c8a7e108967ee6c619dc3ec

      SHA512

      45cf8258804c09e1fceed1546e2a13409aee3bd20f7498278e60080d5048cb9e592c03589306e24e35497ecc21f77c249451b70878e8b260ed8a411737928280

      Download Submit
    • C:\Users\Admin\d2vkfr8\sqxp.WCT
      Filesize

      936KB

      MD5

      95562f764e16e1d2445b6449428a1839

      SHA1

      9ce1664ce6206e0c8a78e7de5a759643358cc505

      SHA256

      6b26fedf0364f8fd558f8c60279886529ba298b4f8e6c6a473772900a52e887e

      SHA512

      8fef2425f21bdd5c45b4470336284c53b5a5d0161be6c87906d0b684551c5edf5f7f88eb63e2aa167e5b47dce6c17ecd7354f948222243ca341a515b9bf30a19

      Download Submit
    • C:\Users\Admin\d2vkfr8\tolmkgbamw
      Filesize

      306.2MB

      MD5

      07ae1fae147a2737c9c61f4c61efe8be

      SHA1

      626d33ed3de4f3e3d8cee6a93caccdf47e869e1c

      SHA256

      50cd946449317eb4a86d561450dd590247f3508c520391380ea3d4218d88e945

      SHA512

      fce031e74412a341f9c29bd4125e9c8d3460ad57dcd72183294f01c6ea3cf445914f53e6adb62d7a30431855f7228a1f0b0e1ce85c62560c85f131d2284ef479

      Download Submit
    • memory/2044-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4408-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4408-139-0x0000000000400000-0x00000000004F0000-memory.dmp
      Filesize

      960KB

      Download
    • memory/4408-140-0x0000000073F90000-0x0000000074541000-memory.dmp
      Filesize

      5.7MB

      Download