Overview

overview

8

Static

static

d40922f220...0c.exe

windows7-x64

8

d40922f220...0c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 22:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d40922f2202d0712567888a9d758d52fd1ea346ebd713013cd41b3941726480c.exe

  • Size

    740KB

  • MD5

    49c9ffb13a4f3d16ef3b6e7604752deb

  • SHA1

    d3aeddaf4078a4f9784b697b958baac7b9e6410e

  • SHA256

    d40922f2202d0712567888a9d758d52fd1ea346ebd713013cd41b3941726480c

  • SHA512

    44ab4e8a29d7dd2409bdd593861c2d854d02516257ffce92e6dc759894d0c549014675569f2844514adf76d8cdcade52aaef672c3eb5542fbfa0e1179583ea6d

  • SSDEEP

    12288:Hu7sAF/9kWyUtuOsaM0YMFd/0Fp++nrxoq93DkJ0pfS:O/yWyBOsaM0jv/sp+2Sq9zkJ0VS

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d40922f2202d0712567888a9d758d52fd1ea346ebd713013cd41b3941726480c.exe
    "C:\Users\Admin\AppData\Local\Temp\d40922f2202d0712567888a9d758d52fd1ea346ebd713013cd41b3941726480c.exe"
    1⤵
    • Sets file execution options in registry
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Temp\qq.exe
      "C:\Temp\qq.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" ¨Á
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4880 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1608
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
        3⤵
          PID:936
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1&&del /f /q /a:- "C:\Users\Admin\AppData\Local\Temp\d40922f2202d0712567888a9d758d52fd1ea346ebd713013cd41b3941726480c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:4980

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Temp\qq.exe
            Filesize

            695KB

            MD5

            0e1dbefb779564da7035270ceea5e4cc

            SHA1

            3c48ea4793db3574d23a629ec15e6f4e0f2e2c1c

            SHA256

            2523eedcf7f26ffb3e47248e055d7388b4ba41e47c88df6a9214174b02567cb5

            SHA512

            5527530d0a28432d5a419a1c2858fc92479cb863e97441fe437430b1347a6293b062edb64f2973cee8dff52833afab5b29f1ddc34da02ad3168de48e4cd8fa5c

            Download Submit

          • C:\Temp\qq.exe
            Filesize

            695KB

            MD5

            0e1dbefb779564da7035270ceea5e4cc

            SHA1

            3c48ea4793db3574d23a629ec15e6f4e0f2e2c1c

            SHA256

            2523eedcf7f26ffb3e47248e055d7388b4ba41e47c88df6a9214174b02567cb5

            SHA512

            5527530d0a28432d5a419a1c2858fc92479cb863e97441fe437430b1347a6293b062edb64f2973cee8dff52833afab5b29f1ddc34da02ad3168de48e4cd8fa5c

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            f8f8086f87156d14091b152fcaadc3ce

            SHA1

            fe3cfbf9e2e871c948300473593dfcf189013386

            SHA256

            8d92f28b70ed5265fafad8b37ce049b0b8ecad038745173acc35a21b8222bf56

            SHA512

            1235be77513694a1478459e999631920be42183a6993dc1f93333831eaa54ea60c7d8617029289c95fed2f861fc7aa79da551c128df4428d23752044eb68ba7a

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            434B

            MD5

            b5548c5de678123fbc5db55fa0b2557b

            SHA1

            cf7bb0b9ee871ab4ffb52a946c9fad8765b57632

            SHA256

            63fb7b1e2753bfbcf551b901b9a30cbc6f9fb4117e38893d19022dc5a9e07244

            SHA512

            617badc22ba4d7bc2b419c6bb711a2bd4b285fc36ad490544e3e14bc7a4a1368e908338194abe2ae274f633fa90f36c56c9808cc1cf9bd42b2894b3892f40bff

            Download Submit

          • C:\Windows\SysWOW64\Deleteme.bat
            Filesize

            78B

            MD5

            dddd4a9dabba3477253a39f2e71f6310

            SHA1

            a378e1ed7f436e933883824d48aba6c9cf9b1fbf

            SHA256

            50938491b1362ded95350876d085c35295ddb054b4fa186552dcaab521f8ec71

            SHA512

            0010e57203e8dac3b005879e67c2775a10f71817f3eb3fed361cdff22894da921c126dd7315bf52ff2cfec535cffe7c22f59a4d723bc6fc3cbd5a2a46b27531b

            Download Submit