Analysis

  • max time kernel
    153s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 16:51

General

  • Target

    8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe

  • Size

    38KB

  • MD5

    b1bf72c9c9bfc9b16f0bba3135de8377

  • SHA1

    a83c333d22d3e440a4a57cc03ea1318c35573853

  • SHA256

    8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272

  • SHA512

    b4062697d47415b7475f2c756b1671a14b4945621202311b97a782aea1f2acb5fa900ce37940ac7aa8d038a9bcbc633e9bcc2bb2a8838b1422377e3cd43a8584

  • SSDEEP

    768:9VO48tURyrl6iaLcuR+G7UxFEtTJFFXC3CKegOP:O4QUIrl3a5RCxOHFy3dC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
    "C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
        StubPath
        3⤵
        • Executes dropped EXE
        PID:4160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 464
          4⤵
          • Program crash
          PID:5076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4160 -ip 4160
    1⤵
      PID:5056

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\decrypted.exe

      Filesize

      18KB

      MD5

      b6c14514b988e297c03f0019dd120f5c

      SHA1

      de0e8a847866e5bd33bfe18df1a5de6668c624d0

      SHA256

      ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

      SHA512

      bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

    • C:\Users\Admin\AppData\Local\Temp\decrypted.exe

      Filesize

      18KB

      MD5

      b6c14514b988e297c03f0019dd120f5c

      SHA1

      de0e8a847866e5bd33bfe18df1a5de6668c624d0

      SHA256

      ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

      SHA512

      bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

    • C:\Users\Admin\AppData\Local\Temp\decrypted.exe

      Filesize

      18KB

      MD5

      b6c14514b988e297c03f0019dd120f5c

      SHA1

      de0e8a847866e5bd33bfe18df1a5de6668c624d0

      SHA256

      ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

      SHA512

      bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5