Overview

overview

8

Static

static

f99ad202c4...81.exe

windows7-x64

8

f99ad202c4...81.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f99ad202c43c98a4bd3d505f0680c663487c1f036a356815d7ac69b96e541b81.exe

  • Size

    213KB

  • MD5

    56ba8755dd359723ca9b02cd9fcad553

  • SHA1

    be4dc02dd304505fd1c55066ef2d770e38596a17

  • SHA256

    f99ad202c43c98a4bd3d505f0680c663487c1f036a356815d7ac69b96e541b81

  • SHA512

    54e32c037ba5bb9abc523773abe56e587ca10aaca4318ea46219f1cb7545111d22abcecfad23bb4fc52926a8b9124b95a980ff5423a24ce74f2940ca25d97eaa

  • SSDEEP

    3072:nl1i/NU8bOMYcYYcmy5PTM5YmMOMYcYY51i/NU8TffsN0n/A76r7Gki0Hv5sioUe:Xi/NjO5zX3Oai/NZG66CY/J

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f99ad202c43c98a4bd3d505f0680c663487c1f036a356815d7ac69b96e541b81.exe
    "C:\Users\Admin\AppData\Local\Temp\f99ad202c43c98a4bd3d505f0680c663487c1f036a356815d7ac69b96e541b81.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Program Files\Windows\system.exe
      "C:\Program Files\Windows\system.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Windows"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Program Files\Windows"
          4⤵
          • Drops file in Program Files directory
          • Views/modifies file attributes
          PID:3324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\sys.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\sys.exe"
          4⤵
          • Views/modifies file attributes
          PID:4524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\qx.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\sys.exe" +R
          4⤵
          • Views/modifies file attributes
          PID:228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:1012
          • C:\Windows\SysWOW64\cacls.exe
            cacls "C:\sys.exe" /P users:R
            4⤵
              PID:652
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Program Files\Windows\sys.exe" +R
              4⤵
              • Drops file in Program Files directory
              • Views/modifies file attributes
              PID:3888
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              4⤵
                PID:4216
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Program Files\Windows\sys.exe" /P users:R
                4⤵
                  PID:3504
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Program Files\Windows\system.exe" +R
                  4⤵
                  • Drops file in Program Files directory
                  • Views/modifies file attributes
                  PID:3008
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  4⤵
                    PID:2916
                  • C:\Windows\SysWOW64\cacls.exe
                    cacls "C:\Program Files\Windows\system.exe" /P users:R
                    4⤵
                      PID:1668
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c del f99ad202c43c98a4bd3d505f0680c663487c1f036a356815d7ac69b96e541b81.exe
                  2⤵
                    PID:4780

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Windows\sys.exe
                  Filesize

                  72KB

                  MD5

                  92354536ece14660b60eb9f9cf8f8fc0

                  SHA1

                  d9b1c9e38251b59f41414bbd53723e4501615855

                  SHA256

                  5777f7aa46d43783a24fa12f7123c66811a9a2353ccec4fa0749fb09e7d7ac43

                  SHA512

                  5988b1d62f10cdb311852ab9ad2b845805f0eb9fd5c99cd55db2964413b05498e1d3c4ece6ff3d4910fc0a0ab930ab43e6ead91a23371254f1e2cbc3be8a4d4c

                  Download Submit

                • C:\Program Files\Windows\system.exe
                  Filesize

                  24KB

                  MD5

                  2a5ca6e007316349ff0929c2f6e66618

                  SHA1

                  9669551415d9698ee282d87b9c89562992aa3f97

                  SHA256

                  cdfe87e6296fe09746f2e6ebf5f7835d75d8d9ba4efea1d3b2f270c1bbdeab02

                  SHA512

                  beab8c6306dd16bc473b7eaa9832549bdb778f92cdf9c1ec88c9582d7a10df8285a9412afd7f786304b499c54f362f341ebfdad35592f71ff319891355e78a2f

                  Download Submit

                • C:\Program Files\Windows\system.exe
                  Filesize

                  24KB

                  MD5

                  2a5ca6e007316349ff0929c2f6e66618

                  SHA1

                  9669551415d9698ee282d87b9c89562992aa3f97

                  SHA256

                  cdfe87e6296fe09746f2e6ebf5f7835d75d8d9ba4efea1d3b2f270c1bbdeab02

                  SHA512

                  beab8c6306dd16bc473b7eaa9832549bdb778f92cdf9c1ec88c9582d7a10df8285a9412afd7f786304b499c54f362f341ebfdad35592f71ff319891355e78a2f

                  Download Submit

                • C:\WINDOWS\SysWOW64\qx.bat
                  Filesize

                  283B

                  MD5

                  32afcf0a6ae75e5d11229f30c1848e48

                  SHA1

                  d1d59b121e12f93d27369d203566336d3d2afc15

                  SHA256

                  fd274418081b46a7a9dc70f3afe8b6aa9c7545588a97eb23fc1813da50d073e3

                  SHA512

                  d1bb3e135b046b76fa55f7542f8f6995ceb9d03b5f5a240e0e0e9745a9246b03a12ac3c459229f3909697fd8ae7b09abb0e99c6ca07ae0b39b4c89100ad58320

                  Download Submit

                • C:\sys.exe
                  Filesize

                  72KB

                  MD5

                  92354536ece14660b60eb9f9cf8f8fc0

                  SHA1

                  d9b1c9e38251b59f41414bbd53723e4501615855

                  SHA256

                  5777f7aa46d43783a24fa12f7123c66811a9a2353ccec4fa0749fb09e7d7ac43

                  SHA512

                  5988b1d62f10cdb311852ab9ad2b845805f0eb9fd5c99cd55db2964413b05498e1d3c4ece6ff3d4910fc0a0ab930ab43e6ead91a23371254f1e2cbc3be8a4d4c

                  Download Submit