Overview

overview

9

Static

static

8

8496ac1c9e...46.exe

windows7-x64

9

8496ac1c9e...46.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    193s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8496ac1c9e019094d362cce98f500ea401e6c677bce0bff79880695b3fb70746.exe

  • Size

    22KB

  • MD5

    cf6dee22f21bb92e6532efa366013f0e

  • SHA1

    3739554919ac64ab2be2eb06e34ce8118ac4cd26

  • SHA256

    8496ac1c9e019094d362cce98f500ea401e6c677bce0bff79880695b3fb70746

  • SHA512

    24f0deb8e9701c5dde8c76d39bf9428c95b954e9fcf4ba31a5be6a64a126b9fd4901363801ac39958dab983386803e0d5d36081db75b1298a807fe5cd1569936

  • SSDEEP

    384:WjqzhMhpcxxXjyjyRE2s2XdRgFZQDNveFfhh89eLOBAD4MSb:WjKhYpexOcE2s20gve/h898OKHU

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8496ac1c9e019094d362cce98f500ea401e6c677bce0bff79880695b3fb70746.exe
    "C:\Users\Admin\AppData\Local\Temp\8496ac1c9e019094d362cce98f500ea401e6c677bce0bff79880695b3fb70746.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8496AC~1.EXE >> NUL
      2⤵
        PID:2296

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\1957817A.dll
      Filesize

      14KB

      MD5

      f0f057dc66c89b2352bcef894a8f211a

      SHA1

      34ae375ee426239ceb1fb3307e29e6854bcbfef7

      SHA256

      b7fde3dbc6d4e7f02cd098ff3b6ef40ba8b4d178332b2eee5d7532d40c0fe98b

      SHA512

      660fb7808022f6c0afb46c7b08431345e334971249b5408e9f0a35cc25384ce6dc9550245c0eb495b0cff02a079c73479fab009f5c8bcb114b92e5cb42ff8818

      Download Submit

    • memory/4812-135-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4812-134-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4812-136-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4812-138-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download