Overview

overview

8

Static

static

a2f4b5f282...48.exe

windows7-x64

8

a2f4b5f282...48.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    183s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 00:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a2f4b5f28281faa670f23f3e873ba5faaf9ed311046b1a309955af0a6133de48.exe

  • Size

    376KB

  • MD5

    5b3899eaf351a5ba749e00c1dc66c94a

  • SHA1

    7f366c7dd094916d2676ca9b67c0f2368bc4b146

  • SHA256

    a2f4b5f28281faa670f23f3e873ba5faaf9ed311046b1a309955af0a6133de48

  • SHA512

    49650f124959b0191e639901dd765ae754615471d151c175ae0372a620319ba5cffc0ac012e0f3132c54fb00597077dd9e20bb538b3f95f80c5e48137334fd8a

  • SSDEEP

    6144:EbXE9OiTGfhEClq95YtwRuqkbQlLgzCmFJQyJvrrqrVcdBm3bGUHuBBc:QU9XiuiGvkbwLguYYh0ibBL

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2f4b5f28281faa670f23f3e873ba5faaf9ed311046b1a309955af0a6133de48.exe
    "C:\Users\Admin\AppData\Local\Temp\a2f4b5f28281faa670f23f3e873ba5faaf9ed311046b1a309955af0a6133de48.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\j1\j1\lomai_manya.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:3272
    • C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Program Files (x86)\j1\j1\polnostiu.jpg" /ForceBootstrapPaint3D
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3412
    • C:\Program Files (x86)\j1\j1\ya_hoshu_4tobi_ti_lomal_menya.exe
      "C:\Program Files (x86)\j1\j1\ya_hoshu_4tobi_ti_lomal_menya.exe"
      2⤵
      • Executes dropped EXE
      PID:1392
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 504
        3⤵
        • Program crash
        PID:2664
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    PID:3716
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1220
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1392 -ip 1392
    1⤵
      PID:4160

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\j1\j1\ko.txt
            Filesize

            2B

            MD5

            d645920e395fedad7bbbed0eca3fe2e0

            SHA1

            af3e133428b9e25c55bc59fe534248e6a0c0f17b

            SHA256

            d59eced1ded07f84c145592f65bdf854358e009c5cd705f5215bf18697fed103

            SHA512

            5e108bc2842d7716815913af0b3d5cb59563fa9116f71b9a17b37d6d445fe778a071b6abcf9b1c5bac2be00800c74e29d69774a66570908d5ea848dcc0abfa76

            Download Submit

          • C:\Program Files (x86)\j1\j1\lomai_manya.bat
            Filesize

            3KB

            MD5

            687975280cca99d52fb24d6aedbcd633

            SHA1

            ed694dced2ec31002ff6512a8996dd81e34abf33

            SHA256

            af04058b4819c4c38901a68d09666a702e920ba27718c4720eadc361d83f68b9

            SHA512

            8c13721ca06d1c1db6e9fbae58a87970f0f9b0d7216c5c1254650fccad7c6444377193a53178d2f92ade382869997fff68c120becb188fed04c550666f3cb535

            Download Submit

          • C:\Program Files (x86)\j1\j1\polnostiu.jpg
            Filesize

            31KB

            MD5

            8f579226e8fd4af43a9111505db29474

            SHA1

            bca4bcd599a5a9446be20cfec3392c60ef15a954

            SHA256

            515454f4e2622c157efaa9e831e4585936056bf5d3095d8c56965caa75f7cca3

            SHA512

            e24616cd8e7b88fb7566a47289e064cd0cccc2fe492c41f93049e6134820ed20e85731d8d13112d401f851f8286e569aea4e2501c975a4e0d06128bc76b79ecf

            Download Submit

          • C:\Program Files (x86)\j1\j1\ya_hoshu_4tobi_ti_lomal_menya.exe
            Filesize

            508KB

            MD5

            f19af4108a2a4cf73873faf210eaa03c

            SHA1

            d16372de685c00d83e934cff8030536e654b2bf2

            SHA256

            63be2598b4d4c062aa7d0d76196490b1beb65aa7f61bb46939b4cb247330a63a

            SHA512

            2606a2ac1ebd91290a7939f4bc7890486c56fd5afba5dcd2a8cb5e42f06ba6529e01bace75ce0c34756a094d4f4517cb3528b4cff7c49035764e5468bb2a9535

            Download Submit

          • C:\Program Files (x86)\j1\j1\ya_hoshu_4tobi_ti_lomal_menya.exe
            Filesize

            508KB

            MD5

            f19af4108a2a4cf73873faf210eaa03c

            SHA1

            d16372de685c00d83e934cff8030536e654b2bf2

            SHA256

            63be2598b4d4c062aa7d0d76196490b1beb65aa7f61bb46939b4cb247330a63a

            SHA512

            2606a2ac1ebd91290a7939f4bc7890486c56fd5afba5dcd2a8cb5e42f06ba6529e01bace75ce0c34756a094d4f4517cb3528b4cff7c49035764e5468bb2a9535

            Download Submit

          • memory/3716-139-0x000002609C930000-0x000002609C940000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3716-140-0x000002609C970000-0x000002609C980000-memory.dmp

            Filesize

            64KB

            Download