Overview

overview

8

Static

static

34f9f02c5e...2d.exe

windows7-x64

8

34f9f02c5e...2d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    36s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34f9f02c5ea6022af84a6b0a28752bb125ea9a8327fe684cc62684a778534d2d.exe

  • Size

    158KB

  • MD5

    f325bd5bcea626e6f94443199bd52ced

  • SHA1

    15eb3b4eaf90b9eaf698b7e95892d6d02d1721ae

  • SHA256

    34f9f02c5ea6022af84a6b0a28752bb125ea9a8327fe684cc62684a778534d2d

  • SHA512

    3867cd9da0d18d526b3e9615a3d0477d14c9bc6d47c8526265005f0b2f5de1e3c25588f378494b4c5e9a0fd2540bc68988d5cd3832e5634bf6534707bc7af001

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6iibrBXVmr:PbXE9OiTGfhEClq9FKx9qrbmr

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34f9f02c5ea6022af84a6b0a28752bb125ea9a8327fe684cc62684a778534d2d.exe
    "C:\Users\Admin\AppData\Local\Temp\34f9f02c5ea6022af84a6b0a28752bb125ea9a8327fe684cc62684a778534d2d.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Ss\Tl\chelovek_i_koshkai.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ss\Tl\sklinkolo.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:952
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ss\Tl\abrekovich.vbs"
        3⤵
          PID:940

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Ss\Tl\abrekovich.vbs
      Filesize

      135B

      MD5

      6d097732a26e75b3a7520fba76fd9bb3

      SHA1

      aeae94eef1aac2e23633ad089ab3238c712f4a17

      SHA256

      55b74d0ad418336dbc1b740a2f397fa74a4b956bf0439f357006f1c174b3098c

      SHA512

      4471195a23a38cbc229764f6b6ee88b81ecbe193960804303f24d147e55e9cfe4ce7036a045e7ec220522b60a8c65961a972eea42d9788a6cddb8b11463b3c0a

      Download Submit

    • C:\Program Files (x86)\Ss\Tl\chelovek_i_koshkai.bat
      Filesize

      1KB

      MD5

      76467cab6fccd7c5d2b6b470a99c4afa

      SHA1

      7723aa4728f78e964f770027e45efe7f12b41159

      SHA256

      d40017dbbbae20d1098e9a509b8ccc7a460ce28aef5be36c3bb761801592ac6a

      SHA512

      c3e177b93f07284f7d518e9d5db36f137d94c3f86176951a1c8c5744f8c73188719c5319f00fd1828d4a49d1ff723ea087be425799254084ecfb7fe7f9c91808

      Download Submit

    • C:\Program Files (x86)\Ss\Tl\indula.dha
      Filesize

      55B

      MD5

      97e448bca7375ecf8181594125b513b7

      SHA1

      d1c83846f416ed64c3f7de53de343c1cc0c5d17e

      SHA256

      4bce8a67abe8559da184048d36d1464124a3411e97acf8b0df46335e36701320

      SHA512

      584f7d7ba2783ca34dcbfc896fbafd97792cf40544faff892e10e981f381f210ec4fae432be660f22e6abcfb3bf0f4a402ebcb50146a755ffc3503ddb4b873c3

      Download Submit

    • C:\Program Files (x86)\Ss\Tl\okdodldddd.po
      Filesize

      27B

      MD5

      213c0742081a9007c9093a01760f9f8c

      SHA1

      df53bb518c732df777b5ce19fc7c02dcb2f9d81b

      SHA256

      9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

      SHA512

      55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

      Download Submit

    • C:\Program Files (x86)\Ss\Tl\sklinkolo.vbs
      Filesize

      883B

      MD5

      91b6b79e21f986232fec81273066bfb9

      SHA1

      ffd07d790513a9307f7cc59e73719611a4e2494c

      SHA256

      5b00eb93bb52248608bd1fadde5a2316716b42bb27e8b6ebb01b1df589e8969c

      SHA512

      6c65efe75cea55a1579ecacee67c8015c38014b69a09d4bb1efc1ec982a28e5e2cbdcdadb49076aa2a33f0e3fc508e7a3ebdc4d77af6c4a205475b66bebdfd3e

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      154e3621441bebe0623944a5c24412eb

      SHA1

      9e72dc491bcc5b86fbe88698ef3302a686f298d6

      SHA256

      6013af61c1c98aa3ed844df01107ea31ee352b9beee3105e73753a2810ce6800

      SHA512

      c54367b56636f940244775f1790043617e201da02c175e017eccf38dffcc857f06b952aeed85bc5b89cc6df0046b2045c6eab0e2b5e0ffd20b61f96f0423c457

      Download Submit

    • memory/940-62-0x0000000000000000-mapping.dmp

      Download

    • memory/952-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1812-55-0x0000000000000000-mapping.dmp

      Download