Overview

overview

10

Static

static

4a7dc47d47...34.exe

windows7-x64

10

4a7dc47d47...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe

  • Size

    2.0MB

  • MD5

    6f8572e5cca28c7103d72cea751d10bf

  • SHA1

    eeaab748db9bdca67ae4d279012c3f003cc8a3bb

  • SHA256

    4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634

  • SHA512

    bfa5d01aaacba0f20b19c54705cef543fdbceb588fc86a4a1ad5ba7be71dc1a043ab6e6cb4b7faea25c3aa3e6499717e5f306d2ac0a7240d65a8e149cdb77abe

  • SSDEEP

    49152:sMMMMMMMMMMMMMMMMMMMMMMMM9MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs:sMMMMMMMMMMMMMMMMMMMMMMMM9MMMMMs

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe
    "C:\Users\Admin\AppData\Local\Temp\4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe
      "C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe" aojtuujbjkr
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
          PID:4528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 80
            4⤵
            • Program crash
            PID:3292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4528 -ip 4528
      1⤵
        PID:2984

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\53392G~1\TSBICC~1.HVO
        Filesize

        1.1MB

        MD5

        6f6dad92921dd28a40db79aad669f5ae

        SHA1

        8b77aa41642166e736a17d70621211b13596804d

        SHA256

        527b739c95b7640171e8585cf64372febbc60e9477977582dc63661f939dba80

        SHA512

        9dd8e9dd0d076094b7b4897c6fa1ebf0bef378187d07e0bd03a955d92e4bfde9bc7d5f73a236c006e2aa4a5674f779530bd0627f161aad63fbdd15d5866fd139

        Download Submit
      • C:\Users\Admin\53392G~1\iwth.VFA
        Filesize

        60B

        MD5

        5eaf31efa4f8055a1f92f3105e83243e

        SHA1

        766d696f41d041a552909f79c1f6b357d9c84e15

        SHA256

        a4f07855007136f9c981e86afd5413b4a3cb267c84939dd074cf43289bc79eda

        SHA512

        0fa9517172e88a0df97765165ff298d885a2d26af977ca9cc48a53327f71ea40d7548b689b81d9c18e845fe5b9507b7ec060d2eaf3688fa422bcaa0fd72e11be

        Download Submit
      • C:\Users\Admin\53392gx2394\aojtuujbjkr
        Filesize

        219.0MB

        MD5

        82882c281b903e065e155c9b179d214c

        SHA1

        d8a452c48c995907ab0c1742cf166a06de31c6a6

        SHA256

        e33067c503f6f1d6c683774cd5957854c418156cb6014167111a62cd8f703480

        SHA512

        03d12b48b0a15f195df94d294c2b1fcb9d0001b764c1025b6e7433528ca31b447ccbd51a82fe12461c1213e33cfaf3e9ddfd6e140a0b56e3dc1dab1210b505e9

        Download Submit
      • C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe
        Filesize

        732KB

        MD5

        71d8f6d5dc35517275bc38ebcc815f9f

        SHA1

        cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

        SHA256

        fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

        SHA512

        4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        Download Submit
      • C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe
        Filesize

        732KB

        MD5

        71d8f6d5dc35517275bc38ebcc815f9f

        SHA1

        cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

        SHA256

        fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

        SHA512

        4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        Download Submit
      • memory/4528-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4768-132-0x0000000000000000-mapping.dmp
        Download