Overview

overview

8

Static

static

4ba795a56c...1f.exe

windows7-x64

8

4ba795a56c...1f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ba795a56c90d9473d7bae78be7f0ad274face2fcffec28e76200961c8c06f1f.exe

  • Size

    140KB

  • MD5

    a6fe1d2d5c4d42da096f889373839334

  • SHA1

    0bbe49943f152b525156208cd0dad663efea46e9

  • SHA256

    4ba795a56c90d9473d7bae78be7f0ad274face2fcffec28e76200961c8c06f1f

  • SHA512

    c16509616b1efe1c5c88d212da9efa7fd68432025cf6a4ab23e94bf84b7dfc743123015577378635be3bb87c4eecfe0a885df76c35022fe2a7544a16521321cf

  • SSDEEP

    3072:HBAp5XhKpN4eOyVTGfhEClj8jTk+0hYJVjvok:KbXE9OiTGfhEClq9bJVz

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ba795a56c90d9473d7bae78be7f0ad274face2fcffec28e76200961c8c06f1f.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba795a56c90d9473d7bae78be7f0ad274face2fcffec28e76200961c8c06f1f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\dns2\dns\stidno.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\dns2\dns\obidno.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1376

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\dns2\dns\data.txt
    Filesize

    3B

    MD5

    069059b7ef840f0c74a814ec9237b6ec

    SHA1

    114d4eefde1dae3983e7a79f04c72feb9a3a7efd

    SHA256

    65a699905c02619370bcf9207f5a477c3d67130ca71ec6f750e07fe8d510b084

    SHA512

    8f38ba1b52fdbe35907eeb02f4cdd923dc608cbb560f1415cbac5858345e8aeaa3f43756602e2ec5f5e7637d65a627ccffa8cd636237110a9e8e207ad70d6bb5

    Download Submit

  • C:\Program Files (x86)\dns2\dns\obidno.vbs
    Filesize

    965B

    MD5

    4aaa49a0d0f388ef9458d5647d93e5bc

    SHA1

    60d01fc724a749f11e9adbf8324215cb1b15976b

    SHA256

    54b38f0740dc184d583161a98068d766b28356a551c3a9f8d9f8f5c9af03d7c3

    SHA512

    8585ce097f0af2e5f52916a03aba7858300a7735bced2b8ef047d3351602218d2e97def3f56a78e9ec3221cdb4420a906026ddfed7c50982959b4c6c62a2fb66

    Download Submit

  • C:\Program Files (x86)\dns2\dns\stidno.bat
    Filesize

    3KB

    MD5

    f9a55197332f781ea279ad522617f921

    SHA1

    c98e9cdad3e2baa7ae123e4d4493534a249bfc89

    SHA256

    e3d875953cd028393e3a4f621c00dc81cb9c992f7ba3fb7ac411499d6d2e8e45

    SHA512

    b36ae819e11070458095a78d8b8dbb9c47f8aa0a38b7d1781a03be39ba552ab8e3b7fa9bf632274020b51a3483e1ec0bf4be866b63e57d6e6a91d8e6bdfc1812

    Download Submit

  • memory/1376-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2236-132-0x0000000000000000-mapping.dmp

    Download