Analysis
-
max time kernel
174s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01-12-2022 08:46
General
-
Target
4b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4.exe
-
Size
58KB
-
MD5
1de64e1cf2bda73ede782673333d0e70
-
SHA1
5854fff0080e6d800f4dfebd0612f0b14b923882
-
SHA256
4b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4
-
SHA512
e66f07b9d2a16355f61b2e8992408b6f08c8156b135b07fd9dd5f8777f28dc577f1b2e60bdb0c7abb05d7760a53b9889f21fd581a8fbb7e480b3749ba8d4933a
-
SSDEEP
768:+Hf+S26Iyfvcse5kzId8rH7R1fkGhg2QiGPL6QNcD3fTOZXKhB0q:yIyfvdzId8j7MGyPOZzTO6B0q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4.exe"C:\Users\Admin\AppData\Local\Temp\4b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explore.exe"C:\Windows\system32\explore.exe" -UPD step3 C:\Users\Admin\AppData\Local\Temp\4b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4.exe|C:\Windows\system32\explore.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3964 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD51de64e1cf2bda73ede782673333d0e70
SHA15854fff0080e6d800f4dfebd0612f0b14b923882
SHA2564b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4
SHA512e66f07b9d2a16355f61b2e8992408b6f08c8156b135b07fd9dd5f8777f28dc577f1b2e60bdb0c7abb05d7760a53b9889f21fd581a8fbb7e480b3749ba8d4933a
-
Filesize
58KB
MD51de64e1cf2bda73ede782673333d0e70
SHA15854fff0080e6d800f4dfebd0612f0b14b923882
SHA2564b362a137f2a9759d152709b96db895cae84f0f96bfa747a374161d613e181c4
SHA512e66f07b9d2a16355f61b2e8992408b6f08c8156b135b07fd9dd5f8777f28dc577f1b2e60bdb0c7abb05d7760a53b9889f21fd581a8fbb7e480b3749ba8d4933a
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB