Overview

overview

8

Static

static

b18c25df69...81.exe

windows7-x64

8

b18c25df69...81.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    208s
  • max time network
    232s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/11/2022, 23:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe

  • Size

    335KB

  • MD5

    3123850b28df13cc3563713cb64caef5

  • SHA1

    d44eab7bf6067f3618c5aa9ac9e7a83a7127143f

  • SHA256

    b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481

  • SHA512

    2dad171e4e6c909080d299be105d39fc126840509908a7be981db5a6721c62f01bedccb2bcd73f3e9445bc5a1b1b72211221634c77906f712d7d0b3ecdde2f69

  • SSDEEP

    6144:ZbXE9OiTGfhEClq9Zd6cdURGBFphMn3k/NEXWGHAcRUoCR:hU9XiuiywGFpqn3k/NuVnk

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe
    "C:\Users\Admin\AppData\Local\Temp\b18c25df69fe115ec9d182d859ad35b33a6c80b4700abbf59f12c4d851471481.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\ololo\ku4uqt1.jpg" /ForceBootstrapPaint3D
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ololo\test3.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:1000
    • C:\Program Files (x86)\ololo\i12.exe
      "C:\Program Files (x86)\ololo\i12.exe"
      2⤵
      • Executes dropped EXE
      PID:2388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 664
        3⤵
        • Program crash
        PID:3836
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 2388
    1⤵
      PID:932
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2116
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4800

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\ololo\i12.exe
            Filesize

            103KB

            MD5

            a37e8b3ae5d350aa0932b10ed8d4ef2e

            SHA1

            82dc374225ab3c69d57fddf7c205bf4f3646ee1f

            SHA256

            4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

            SHA512

            4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

            Download Submit

          • C:\Program Files (x86)\ololo\i12.exe
            Filesize

            103KB

            MD5

            a37e8b3ae5d350aa0932b10ed8d4ef2e

            SHA1

            82dc374225ab3c69d57fddf7c205bf4f3646ee1f

            SHA256

            4fd25da42614925487deaeab955da28a791c9e5bf00fb39fe64c038db69448b7

            SHA512

            4cbac7bcd50db894c4ed8ead75a365d7d3855f0ead9190146de871c2b154ecf82676b55d53d2ca7079d6becbaac74e523082df5c8392863d4e946bff9db37d68

            Download Submit

          • C:\Program Files (x86)\ololo\ku4uqt1.jpg
            Filesize

            51KB

            MD5

            b0f288f8053aa9f457c1dc867f2e3a26

            SHA1

            40103a7b0390bfe773414b37a8a0481f1d334ea9

            SHA256

            bda6429b629f34f3549518b0a5c2262eb3aa1eb74a1e5c472f97effd32c032f6

            SHA512

            bad571efb5b4fa3eac1f47308760199b68b042e06d5a69963366c5fa2250b1b3cff69bd659e11b5cfc976fef4def282aa386f3b8a32ff9e2a4f8ced616b1b569

            Download Submit

          • C:\Program Files (x86)\ololo\p.txt
            Filesize

            2B

            MD5

            3416a75f4cea9109507cacd8e2f2aefc

            SHA1

            761f22b2c1593d0bb87e0b606f990ba4974706de

            SHA256

            3d914f9348c9cc0ff8a79716700b9fcd4d2f3e711608004eb8f138bcba7f14d9

            SHA512

            e145ddd4c63521bd646145211682ea52dff04e67e79889fab04613dc7b6693368af53eb483dd22d278f6aa21bf180b1c83a1e3130e612f5722e50f11af694842

            Download Submit

          • C:\Program Files (x86)\ololo\test3.bat
            Filesize

            13KB

            MD5

            57b0c7259deb7b8baab290749af0c0f3

            SHA1

            612a22058e1c24f767e2fa5e6bc3d43d7f5b0f6d

            SHA256

            e13382cda584a4d2a38e7659e13d1343097c2a17d72d9b2489fa6d29f08f690f

            SHA512

            93c41867574b4b28150d3897ab153df3913c08aa713b519b25c6ba819dc3a65183da643cda3d48c14aace7dabcb09d297ccc5e1c814ba9249d873f7a29992b60

            Download Submit

          • memory/2116-142-0x0000015B67BA0000-0x0000015B67BB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2116-141-0x0000015B67B60000-0x0000015B67B70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2388-139-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2388-140-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2388-143-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download