Overview

overview

8

Static

static

bcb5e52dbf...a0.exe

windows7-x64

8

bcb5e52dbf...a0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    304s
  • max time network
    372s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcb5e52dbf9925999cbca08d61400602025789d319e15c2427f8809ac35d51a0.exe

  • Size

    95KB

  • MD5

    212a991b8053674b0b6c054534558676

  • SHA1

    461ecc63db705949f900c5078cb122860771111e

  • SHA256

    bcb5e52dbf9925999cbca08d61400602025789d319e15c2427f8809ac35d51a0

  • SHA512

    bd0c386cb9e9ad61eac7df206d9f3b5108bbd9d1e73a5e9a55f4e9580be2f5c3408779774309168ac26981fe409fecaccf299ea0b41bf9de292a68efffb11e77

  • SSDEEP

    1536:CKDqJvz2xyM40DSmJEKEFXvx52/DVTW1qfc:CKDAfCDSmJEXc/Ri1q

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcb5e52dbf9925999cbca08d61400602025789d319e15c2427f8809ac35d51a0.exe
    "C:\Users\Admin\AppData\Local\Temp\bcb5e52dbf9925999cbca08d61400602025789d319e15c2427f8809ac35d51a0.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Raila Odinga.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        PID:3144

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswB6CF.tmp\System.dll
    Filesize

    10KB

    MD5

    ed228603bf5d6ba382b59274dba35a0a

    SHA1

    037d40e0399902b5119d48995dfd2e96bc6de9a4

    SHA256

    a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

    SHA512

    9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

    Download Submit

  • memory/996-132-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/996-135-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

    Download