Overview

overview

8

Static

static

84b9b22552...5e.exe

windows7-x64

8

84b9b22552...5e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    82s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84b9b2255202d180c0077c7662f51a198a97af84811a2fa8b2aef8aa771c575e.exe

  • Size

    180KB

  • MD5

    45a62912ced6f24ee33d9d080f557c90

  • SHA1

    0dc8ade2ef5260684146656eb8015c1030ffb87e

  • SHA256

    84b9b2255202d180c0077c7662f51a198a97af84811a2fa8b2aef8aa771c575e

  • SHA512

    975fe4efd3e157faf03b03c864c42b0087b78a9150d966d2bd61d55be91c2c3da53e9f503a117abb4aa0cebebc7ad00fac0c946100167c5fa55aaddd7900229b

  • SSDEEP

    3072:eBAp5XhKpN4eOyVTGfhEClj8jTk+0hJZYCZqOuCYM:1bXE9OiTGfhEClq9UVZqOf9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84b9b2255202d180c0077c7662f51a198a97af84811a2fa8b2aef8aa771c575e.exe
    "C:\Users\Admin\AppData\Local\Temp\84b9b2255202d180c0077c7662f51a198a97af84811a2fa8b2aef8aa771c575e.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:2000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:1320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat
    Filesize

    2KB

    MD5

    a68c363b2beb97e2197852cb09e4a222

    SHA1

    20360ed8e0ab2bef6d51e083aba49c057302df3d

    SHA256

    c3557736313a6564ddc3374987a58bb78aad86c22c210c291b93caa344a191da

    SHA512

    baa329b7b7c18411f75b1c8a8656481186fb757634209b0c2a35eb0ba9a8d67f4a5807e13c46415a97f81ffe362e42fc8957cc1d7a8a4edd87de1a1592828c44

    Download Submit

  • C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs
    Filesize

    448B

    MD5

    c92a6f77ded8c80942dcc8adff187367

    SHA1

    71e79502f802219eda515919ac8aea2b44c3e5e5

    SHA256

    be64837788cb94db8b512219a7c740eaa7d09384d0712f8729e5e42a0ef2def6

    SHA512

    1883615d49fc49aae67467cb5591c562da47813a19f33f5ac567bd4759a3f7271cbc26413310fb30df025f4b656ecae8764ad8fdfe7574b1c55bcecb26e32a74

    Download Submit

  • C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs
    Filesize

    505B

    MD5

    68cbcae0f1a323300f0ff8c04a69f46a

    SHA1

    14af6502d1464b8c9ec2496f92a67ef4f43c65d3

    SHA256

    251b2e53bc3e4932443859f77c1ebe720675b39883a50f918261decfb86e39d3

    SHA512

    7147d655308dbc69f6e28fac928ced8918da3c43c53264e8ad5b03c497ace9e3ae4843894c7b33671371d6ba27bd1f6731e4dbd72e4393bfd5f215c4ed0ad98e

    Download Submit

  • C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\she.he
    Filesize

    104B

    MD5

    160ab57966ebac43a0f8e547c83b07af

    SHA1

    bf6967319e5f2ae957996cb03971a6d52b86db9a

    SHA256

    db168763d6b1426947758fb2949fd16f8eeea229e910b2cae07ea18ebd1dcd8f

    SHA512

    564647148ec09249b40e1507ee737f6e2797637feb32cf0d5fcaec96113952e52c49ee5b7b215dc7434f1148e58dc0ff6edf51c6a0d46754877ff813c6debe43

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    9ae1ee9e515c1a3066506a2473887920

    SHA1

    b831426aa90ec1cbf53011c0d23f6e30969625f4

    SHA256

    febbfa05decdf915581d09e096dd79c561888b01c3e3d0933f8493344712cd2a

    SHA512

    a8bcb015deac34fa8a2e14e00f94ff6248dd9058d70e63eddf25ae1cb6455a450f3bef603722585fdaf7f9c9a9d8b61d2c0265c296538e45a6fe95d28c4397ae

    Download Submit

  • memory/904-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

    Filesize

    8KB

    Download