Overview

overview

8

Static

static

d367c5c679...ac.exe

windows7-x64

8

d367c5c679...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe

  • Size

    179KB

  • MD5

    f8dd91b886d2136eb98eeefbc3e77886

  • SHA1

    5d13e37e9ebf90a9d4db53be414390fa1293e884

  • SHA256

    d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac

  • SHA512

    8cde9bef8cd92043436f95864bccc0f1ab4308c0ba2c44490a4e8a6369fdd5a58ac89a8c20bd765ac4c430256134d0869ecaf96a67bc196d5a28baef1b301d3f

  • SSDEEP

    3072:ZBAp5XhKpN4eOyVTGfhEClj8jTk+0hyeTamwiKLYlXr6:cbXE9OiTGfhEClq9Yamwel+

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
    "C:\Users\Admin\AppData\Local\Temp\d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\poo\smar\loi.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:4304
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poo\smar\p01.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:4980
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poo\smar\p20.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\poo\smar\loi.bat
    Filesize

    3KB

    MD5

    18c585396805c18cb6fb0a9245100427

    SHA1

    1168912160b58f37fd06103392e70785f2156944

    SHA256

    9b726de3b4de452fa2c8ef7462cd34d88d0edd1948f745ed5c18b13b7cb0681e

    SHA512

    270c95f1b9fff941e09c734c152f1ce895fd97484194d58024d5c95c1149d3d7a97745c0314a1f751d464aa823089f8e39328a95089a0e713f623ae0f620ac98

    Download Submit

  • C:\Program Files (x86)\poo\smar\p01.vbs
    Filesize

    474B

    MD5

    09c9cbce8e1c5247ac87c445fd2c70e0

    SHA1

    986f4d3b31c7be48e67f5896a3712b6d107d046b

    SHA256

    6be70113621042778fd375130210d7e6a528f2a78afc98b3ca4e4cef8e130c64

    SHA512

    e06d2bab64a2ced89f69f690b008899830c50d880a02e83a97bc7646aad9c3ca30073b369ce489fb79c332392c41512efcfe550112e95b28a237c7f6bf749a40

    Download Submit

  • C:\Program Files (x86)\poo\smar\p20.vbs
    Filesize

    709B

    MD5

    70a12fb2f36b134e1ddd1b84dbbfde21

    SHA1

    cd3534c9f1a3c9f8473ddc48321be912505e4d6d

    SHA256

    7870a33a2200e1aaa1ac7ed5d98a980e5be7000cbf6e51cac3bdecbe7de5eb5b

    SHA512

    c49690afe5a194436fc20a95f173c300e11ee6a47a3717b75dcb3ffd7506d905e3e874baf5763eb43a91a98700941fe05186d1beae73c205940ddf66d7c08c41

    Download Submit

  • C:\Program Files (x86)\poo\smar\pl.txt
    Filesize

    1B

    MD5

    fc1262746424402278e88f6c1f02f581

    SHA1

    77ac341feebeb7c0a7ff8f9c6540531500693bac

    SHA256

    94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

    SHA512

    f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

    Download Submit

  • C:\Program Files (x86)\poo\smar\sk.txt
    Filesize

    5B

    MD5

    662f571084077a39a7ee622e48b44b9d

    SHA1

    319a598057c18d903c7e7fe2073763d22ae6d04b

    SHA256

    46f92e430ee20b98abfaecc6a24d454ffe1aa3e93856beadd471ff41e227d00c

    SHA512

    a326e2a471fa651e3cdd0b55746058e2927df25b140b8a85bc79c647787d7185046d404503385392152e815293d1451a4a393495af0878d922adb71cdc9d09b5

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    926B

    MD5

    90480e2746be0b042343e9cd369ff53d

    SHA1

    dd6ee839e07367c92b4d67365722f6a87e5b0b98

    SHA256

    fcff480b90f11e94a3a069c080134745b5541a9c428287c838cc8f263182ecd9

    SHA512

    672a7d868ce0d9270aabd4df7ac8369b11088feabc27a77363e076b8e70bf3ec5124710ff39cc7957eb062ecf12f8883202a5420afc8818868dacd536eac8af1

    Download Submit