Overview

overview

8

Static

static

3e9f2c1bd1...cf.exe

windows7-x64

8

3e9f2c1bd1...cf.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e9f2c1bd116ccfcd0dcb3051cb40e3912155b737e11c68cc3ceb28657f612cf.exe

  • Size

    180KB

  • MD5

    36b042b638d078361033f9c7ddb086c2

  • SHA1

    da39b60eea08bbb2444d1e43434269d561e7c743

  • SHA256

    3e9f2c1bd116ccfcd0dcb3051cb40e3912155b737e11c68cc3ceb28657f612cf

  • SHA512

    70251434d87f0228ade039ba6db54599b3a3ca126b708c0e8ec19accf8c6b34bfa3da2cb92569be6bb4f7ee73da8795e656efef6e138b5ffcc3696101491dece

  • SSDEEP

    3072:6BAp5XhKpN4eOyVTGfhEClj8jTk+0hdm5Bar3j9:JbXE9OiTGfhEClq9v5Azj9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e9f2c1bd116ccfcd0dcb3051cb40e3912155b737e11c68cc3ceb28657f612cf.exe
    "C:\Users\Admin\AppData\Local\Temp\3e9f2c1bd116ccfcd0dcb3051cb40e3912155b737e11c68cc3ceb28657f612cf.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\v storonu\E230\10\EcuadoryGalapagos.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:2724
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\v storonu\E230\ultar\Latesttraveladvicefor.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:364
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\v storonu\E230\ultar\Simplyenteryouremailaddress.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:3068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\v storonu\E230\10\EcuadoryGalapagos.bat
    Filesize

    2KB

    MD5

    be2c5db88cafd114255d1202e8f92acb

    SHA1

    37680a2557e2e4df92d0539d7e3e6420033f48da

    SHA256

    d0bf0ca23090522c7338996919b2dbb0100ff4307106983258a74e130670f862

    SHA512

    d486596802a96166afa5b118691754df1c283181e641614cb1009669b5c7a695dc6126d93f953bd55f31e06ebf7c52d754b507866589198fb9b21a441750186d

    Download Submit

  • C:\Program Files (x86)\v storonu\E230\ultar\Latesttraveladvicefor.vbs
    Filesize

    817B

    MD5

    cf28d72828a5b4e188cf5f01f54d3bd9

    SHA1

    665dc259c630c8b79cfd8df33347dbd098f38960

    SHA256

    9953c2839fe0477ea8ea304ad71995adbed19d134ed1995d983edb90f71770f6

    SHA512

    5cae08a0a6477cca605a30f2457cfa5a4644e8828c9dbad5217d36a490d2b6f7932eefe81c96ba927b84d56698efc54d3a038f93a969f8e9ec5f77e5ecca8f56

    Download Submit

  • C:\Program Files (x86)\v storonu\E230\ultar\Simplyenteryouremailaddress.vbs
    Filesize

    557B

    MD5

    67de8f45a16cf65bf7a6ae3bd7d83603

    SHA1

    37a415c7e60cce666bb8c725837776483d08d249

    SHA256

    717703d21f5e6c16bcb813cf55bf34dd107bc79099a26d2773d75e20c5f44960

    SHA512

    c3d1182d92dccae25dfe53ba800083093fad98021007fd547ed5a039916440c4a3abd1397f1173ae07db6f1be4e7b67348c6fa25d4919dfa9ba073a362d7f255

    Download Submit

  • C:\Program Files (x86)\v storonu\E230\ultar\moskaraskakokokoko.hiq
    Filesize

    54B

    MD5

    05cb67a96ed0ec3cec454f4899051767

    SHA1

    4db7341b4992d0bf08a1c8df15dc2daf397c804b

    SHA256

    34e21e97e937d5b29938cf3617041fbf3e0b291d51b9169a1eba10ffa1a4573f

    SHA512

    6c93c4688c4b800d7b6fcbd8e15c15263c17f2464a85bf24bcf5d1a114d90aafecf3565eb88a474d998a050bbb931e66606cabe59dc333e168834d985357be76

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    26ec35f056ef17773a030f112d4ec6b3

    SHA1

    4007b8712c4b9ae68c4158f3a46c3724e3e2a0fb

    SHA256

    2188ee572781abbe0364ed50428f5d61983b6154c8294faf684a3b013f04dbb4

    SHA512

    16c93bf965ebd995754bd8da4d206e78734d079beff568d3996d5c1d2f49d1be80e2f2fa23539f480da3602fb0c769ae5e5c158d3470a6edba18311766182bbd

    Download Submit