Overview

overview

10

Static

static

9db66a3372...ce.exe

windows7-x64

10

9db66a3372...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    195s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe

  • Size

    492KB

  • MD5

    81422d9300dc4b73043e21a7733fbe2d

  • SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

  • SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

  • SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

  • SSDEEP

    3072:0tNQKGSGtGSGOGOGlGln+VD/m8ClX0kUb+16H6b5p8I0yH/JN8HOWShM+L7aL7Ct:0sKbELf/MR/cWdi5pV/JNWOVhMO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs
    evasion
  • Executes dropped EXE 11 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 48 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
    "C:\Users\Admin\AppData\Local\Temp\9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Program Files\Windows Alerter\WinAlert.exe
      "C:\Program Files\Windows Alerter\WinAlert.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4380
    • C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3380
    • C:\Program Files\Windows Alerter\WinAlert.exe
      "C:\Program Files\Windows Alerter\WinAlert.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
        "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3840
      • C:\Program Files\Windows Common Files\Commgr.exe
        "C:\Program Files\Windows Common Files\Commgr.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3504
    • C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
        "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        PID:4552
    • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2716
    • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Alerter\WinAlert.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\Program Files\Windows Common Files\Commgr.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    Filesize

    492KB

    MD5

    81422d9300dc4b73043e21a7733fbe2d

    SHA1

    7be7cd5622831d9c252c1ec9c48ebaf737b8a654

    SHA256

    9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

    SHA512

    94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
    Filesize

    667B

    MD5

    15b3714f9a4db408a8faadaba2d7f35a

    SHA1

    ccdb971be1b6b6b11f587ae438580e061520d071

    SHA256

    0e1dca52b51dcdd28a35a3759921cfbad7b41ebd9f1a05601d9fbb12760eda06

    SHA512

    10b7f33d5643050bbb6216512cf2a49adfba883ece4c7fcef6033ac9db63609e5295f8a32370025a00a48c23567a811b19ac2d50ea149ed3cd6f5ef06fe3e169

    Download Submit

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
    Filesize

    554B

    MD5

    17f9d286170384c805a0ebb6be4ab999

    SHA1

    eda4948dc30b44464636c4ef895ec24f6a9ccaa9

    SHA256

    f06b560eaf3cebcea9bcdeb80253ef66610e5e30b58b6e760921043102b0bc71

    SHA512

    6d026e0a2932ebdc666cebf59106d3b236e616e149215e42d313c53a0736778dddb847f14af7467a83719a616cb3aca95802302fb444a822fe2b4435939b98c2

    Download Submit

  • memory/1852-167-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2392-157-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2392-173-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2628-132-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2628-172-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2716-168-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3032-156-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3088-154-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3380-155-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3504-169-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3840-171-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4264-164-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4380-139-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4380-165-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4552-170-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download