Overview

overview

8

Static

static

973a010e08...ff.exe

windows7-x64

8

973a010e08...ff.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    324s
  • max time network
    456s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 19:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe

  • Size

    92KB

  • MD5

    9dd28208be6453c12240edee598d01c5

  • SHA1

    3d028abe60716c6276fcd53a3e24cc614627db86

  • SHA256

    973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

  • SHA512

    9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

  • SSDEEP

    1536:/giuHKiksDOIeAMGXGyoI9y+kpFm94msrP9UnCcyUngZuc163Xqqi9D:YnKtsDOpAMGXGyoI9kpFm94msrP9UCco

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe
    "C:\Users\Admin\AppData\Local\Temp\973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run /V "SystemService" /D "C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe" /F
        3⤵
        • Adds policy Run key to start application
        • Modifies registry key
        PID:4612

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe
          Filesize

          92KB

          MD5

          9dd28208be6453c12240edee598d01c5

          SHA1

          3d028abe60716c6276fcd53a3e24cc614627db86

          SHA256

          973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

          SHA512

          9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gbot\svchost.exe
          Filesize

          92KB

          MD5

          9dd28208be6453c12240edee598d01c5

          SHA1

          3d028abe60716c6276fcd53a3e24cc614627db86

          SHA256

          973a010e0888e683b71532704b85ccf6bf433e42f765ea86a20e67ceb3bde9ff

          SHA512

          9795b753e8ff9068ae9a47be232550bec98caeb59381558b4b743ae2b607da2c6669b15bf35a51f6ce543a917a05dd7f2a31db728eba5f822bbfd2633c2a174f

          Download Submit