Overview

overview

8

Static

static

b6ac5b8279...d2.exe

windows7-x64

8

b6ac5b8279...d2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6ac5b82790e1cba7549a592313e6ef702a71bae044ad6cc08a8b5220856c2d2.exe

  • Size

    345KB

  • MD5

    c3cf3916615f0f6f22cd095ce558273e

  • SHA1

    2afd688e781777cf9c325ed3dd04e68b71d747e3

  • SHA256

    b6ac5b82790e1cba7549a592313e6ef702a71bae044ad6cc08a8b5220856c2d2

  • SHA512

    160235f957692e1a64c2fe59ec15867e0d107022cc84eb8a745c805a56e8fecd85a773a5640f9d43e51a50e3fa80a3be4ce9073671b2a13e4561c0d31acef3dc

  • SSDEEP

    6144:W7EQVsbfb37iC2epe1diNXB4gy3P5E8urgyYqlHzlqkf/:aEQiN2y1B4bP5/4gbaTlqk

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6ac5b82790e1cba7549a592313e6ef702a71bae044ad6cc08a8b5220856c2d2.exe
    "C:\Users\Admin\AppData\Local\Temp\b6ac5b82790e1cba7549a592313e6ef702a71bae044ad6cc08a8b5220856c2d2.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:712
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" path win32_terminalservicesetting where (__Class!="") call setallowtsconnections 1
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\nmklo.dll
    Filesize

    115KB

    MD5

    6d8dff358d9d93e0a654bccb2307f2a4

    SHA1

    4612d57c787c34c78f543147d1f0bb0864f6ab5b

    SHA256

    8c057bc35c796b9667bbf538b1abb77282d54a9e4a84590a28da1d0795d2199f

    SHA512

    84ce6f101bb9f925b72ec7dc824af6df54d8765a760bef4860fe83f0aebaf806d3ca3ee7c126779b840d90f49aebbe5aa7061907efdd4a3eb6e0e258754fda38

    Download Submit

  • C:\Windows\SysWOW64\nmklo.dll
    Filesize

    115KB

    MD5

    6d8dff358d9d93e0a654bccb2307f2a4

    SHA1

    4612d57c787c34c78f543147d1f0bb0864f6ab5b

    SHA256

    8c057bc35c796b9667bbf538b1abb77282d54a9e4a84590a28da1d0795d2199f

    SHA512

    84ce6f101bb9f925b72ec7dc824af6df54d8765a760bef4860fe83f0aebaf806d3ca3ee7c126779b840d90f49aebbe5aa7061907efdd4a3eb6e0e258754fda38

    Download Submit

  • memory/712-140-0x0000000002290000-0x00000000022D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/712-141-0x0000000002290000-0x00000000022D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/712-133-0x00000000021A0000-0x00000000021CF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/712-137-0x0000000002290000-0x00000000022D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/712-138-0x0000000002290000-0x00000000022D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/712-139-0x00000000022F0000-0x0000000002306000-memory.dmp

    Filesize

    88KB

    Download

  • memory/712-132-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/712-134-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/712-142-0x0000000002380000-0x0000000002398000-memory.dmp

    Filesize

    96KB

    Download

  • memory/712-152-0x00000000023B0000-0x00000000023B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/712-147-0x00000000023A0000-0x00000000023A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/712-157-0x00000000023C0000-0x00000000023C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/712-162-0x0000000002F10000-0x0000000002F19000-memory.dmp

    Filesize

    36KB

    Download

  • memory/712-167-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/712-169-0x0000000002290000-0x00000000022D0000-memory.dmp

    Filesize

    256KB

    Download