Overview

overview

8

Static

static

7979d20879...52.exe

windows7-x64

8

7979d20879...52.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7979d20879c2953193f3415e86639b6f9416de25301fd06a901feffbb894e052.exe

  • Size

    180KB

  • MD5

    f14d4e6494027e3ff07f5f2036f1820e

  • SHA1

    549ac5a0aeecae7ea3ac8f20ff371110b29c614d

  • SHA256

    7979d20879c2953193f3415e86639b6f9416de25301fd06a901feffbb894e052

  • SHA512

    c019c2f0c36fa97ba598d0cb1455fc7f5ab962a0f6d1ab2b9d6fc18f3d43ca6feeb856d46b67f261b77d254c54855044f43b1d4dc4bad264f522574d011f9763

  • SSDEEP

    3072:iBAp5XhKpN4eOyVTGfhEClj8jTk+0hq10RguxvyEu:xbXE9OiTGfhEClq9ab2

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7979d20879c2953193f3415e86639b6f9416de25301fd06a901feffbb894e052.exe
    "C:\Users\Admin\AppData\Local\Temp\7979d20879c2953193f3415e86639b6f9416de25301fd06a901feffbb894e052.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\koasols\8000009\yomen.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:536
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\koasols\8000009\wadou.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:912
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\koasols\8000009\qoiw.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\koasols\8000009\kola.txt
    Filesize

    5B

    MD5

    54cf174060515887896fcc44489efa4e

    SHA1

    6e9713ac165af4a63aba88acdbda265e78d3b94a

    SHA256

    96b00e269eb9f5cd380135ace16f8949e22fdc5c706cb60d3278fd32425239a8

    SHA512

    3325b7332cd8baddaec2fa56ff1aa5758f4ae3e2a675c865958243575a831525902b17839d819adb53afbc6abf5d892dcf17b5a4b7cc36ae84d60cc2aaf13091

    Download Submit

  • C:\Program Files (x86)\koasols\8000009\qoiw.vbs
    Filesize

    439B

    MD5

    e038157425479fefd48a650a3051ba81

    SHA1

    afb2166a81788a8635fb59c6411c6dc10b0811e5

    SHA256

    e44090d6aa20beb7a850661a80f25474856c0b0c8c968586b129ec0201d8b5a1

    SHA512

    05e7f7cc0598c6a7239154f54bb5d2860ebce4dedf6d2739af02e5b3b9ee3c733a4d409ed37880ee9b203217436e429d1a7500565aab98d67c41000e2f1ad11c

    Download Submit

  • C:\Program Files (x86)\koasols\8000009\wadou.vbs
    Filesize

    568B

    MD5

    182ef04b22a75e10c276a06075e1b83d

    SHA1

    711e83f34e706c2192b8746d4701c6e55c0440eb

    SHA256

    52450f42d82211b0fe624078bf0e088d86a0e3e594dcdd824b68fccfe9f80a3c

    SHA512

    93f83983c2b3915613415a94a2cf83b12b0812b3a20d98a8624abd724592329ca746f4625c0bc25aefe9fabed0ab6e9137afd9341680fc086a12a684d1e923df

    Download Submit

  • C:\Program Files (x86)\koasols\8000009\yomen.bat
    Filesize

    3KB

    MD5

    9c3dec77de54cfad8da771a6d1473e18

    SHA1

    0869211ec399216071a7d0afc7b3663a58509c1c

    SHA256

    6c0b2110196d1b3d8a102ba6b1d7aa9b30526e9ece39859816016cb8e11359d9

    SHA512

    4758c8864ed0239819693767e573152595ae8f18276b1c5c02b2dbc902c3aa65368b7074315e6b1332a769488209e57e24eabfea66f22d144f1f2673572656d4

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    912B

    MD5

    55b553615172c63abcd1fd783595ecdb

    SHA1

    e1a57f03b7e5767ba1998dafd89632fa93a7f6e6

    SHA256

    4127755c227fc7fbad3c745c253a7ccf458c4e8080d33637d5458ef99402e18e

    SHA512

    c7699bcdf8175df0b81f10239c3eb0e59f15378e77fd5fc3e809f09f61dae4b0757a596bd449ee0e129737c60c6bb94c56158599ebde000fde378c7f33a7ec7b

    Download Submit

  • memory/536-132-0x0000000000000000-mapping.dmp

    Download

  • memory/912-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2840-135-0x0000000000000000-mapping.dmp

    Download