Overview

overview

8

Static

static

d3bdc82b9d...56.exe

windows7-x64

8

d3bdc82b9d...56.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 12:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe

  • Size

    1.4MB

  • MD5

    b428e5d6f582edeccd49c4a8a42449f8

  • SHA1

    f9ea1edee886d38e5543e2d98221ba87fea3a514

  • SHA256

    d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656

  • SHA512

    970e9127c17ed87f73782de129baeb144602f16d93cc21189f9faae36aaa7ac29f311443d4f88eb6e48347bebaa739b937263a728c690fcf74756b7faf81ca0f

  • SSDEEP

    24576:ZAYKY2GH6W0vXJccTACK5nSc61JtDlxnIvL0nEG5a7sR+y2rr71Z8xxn7F9AurMK:ZAJY9s5/Ann0JWLAEpy2rr71k7FKuruy

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe
    "C:\Users\Admin\AppData\Local\Temp\d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
        "C:\Windows\system32\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe" /Service
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        PID:3552
  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
    "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\TEMP\19410
      "C:\Windows\TEMP\19410" -u "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\TEMP\19518.bat"
        3⤵
          PID:4440

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Windows\TEMP\19410
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit

          • C:\Windows\TEMP\19518.bat
            Filesize

            115B

            MD5

            44accbff4ad4da61d471138371a176f8

            SHA1

            121df60dcbcc1e6c501520fc4b5e8da9356420b8

            SHA256

            93e9ed9e5c9730f0a3ab4a18518acb6f0ea927b2a54e59717d7bae9e0f5ebbc5

            SHA512

            6dc1c4f371e1c3dc8645116f6491ef373603593fb3396e56ab1d7644b03a8696ed9a21eb7ac7abe3e648202a572cd44623dc8d2aeca5c21d02588aec38a2317e

            Download Submit

          • C:\Windows\Temp\19410
            Filesize

            5.1MB

            MD5

            53772d0e0aa23e5cc43f405d8d846b27

            SHA1

            e00c2ef1cec31aec62a2a6ef4eb980382315df51

            SHA256

            ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

            SHA512

            a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

            Download Submit