Overview

overview

8

Static

static

c5d10a369d...9a.exe

windows7-x64

8

c5d10a369d...9a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    341s
  • max time network
    407s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5d10a369d4e459f2577a9bfc8ad31573ffb76f6f81e603145f02aba76663e9a.exe

  • Size

    550KB

  • MD5

    244e6bb3accd42d5d5a7aa935ebe7870

  • SHA1

    598cad7b7461b48d2f21d08ea97806948f6e81e7

  • SHA256

    c5d10a369d4e459f2577a9bfc8ad31573ffb76f6f81e603145f02aba76663e9a

  • SHA512

    7a916f2ee3fdc6aba272fd943f4cd16498961e106af118a0d4cc385e9d080985afc5365b2a76f04e02650d13845a3789c3b697f9c5ed7eb08e349bf81dfeed08

  • SSDEEP

    12288:/iFiRKuHwxwMmIhEhDedl13kXctJ4Nzw4hxPTS518uCol:/iFiRKuQxGIhQD2H3kXctJizwcFSdC2

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5d10a369d4e459f2577a9bfc8ad31573ffb76f6f81e603145f02aba76663e9a.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d10a369d4e459f2577a9bfc8ad31573ffb76f6f81e603145f02aba76663e9a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\pb1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\WINDOWS\SysWOW64\AD10.exe
        AD10.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\SysWOW64\AD10.exe
    Filesize

    212KB

    MD5

    4ffaae9401f33ae9a9a1a5171804ab3c

    SHA1

    78541b6cd79a11ce3c0e083085f03975d0464e1a

    SHA256

    afcc90f3fafa43dc72b65ccd3e019fe4a5f803e1a724cff584b80a4e0c7c32a1

    SHA512

    733648b089a163be1f76d797533d0129b36c2ac7d5412d1b3d2020ae7fed4f1dfae2bef355eb70288ebe26993c9457679a8d42badc1174f758569be20304baec

    Download Submit

  • C:\WINDOWS\SysWOW64\pb1.bat
    Filesize

    2KB

    MD5

    fb67430a2485c1b6dd50a8680bcd42ff

    SHA1

    1e95a061da8498b96c5618a281d915d51a743bc3

    SHA256

    d6358fbfcb66f15450b250562de52220ec5dc0dea6e9d7763e59c05caa96a548

    SHA512

    91d8ac7d776ca5d9c8e746f2c747e4af75a8d261baabbff14427b985f2aeee5214a4628571c07091ebbd5881b6f8090691532f076f63242e9ae5dc22a08dd701

    Download Submit

  • C:\Windows\SysWOW64\AD10.exe
    Filesize

    212KB

    MD5

    4ffaae9401f33ae9a9a1a5171804ab3c

    SHA1

    78541b6cd79a11ce3c0e083085f03975d0464e1a

    SHA256

    afcc90f3fafa43dc72b65ccd3e019fe4a5f803e1a724cff584b80a4e0c7c32a1

    SHA512

    733648b089a163be1f76d797533d0129b36c2ac7d5412d1b3d2020ae7fed4f1dfae2bef355eb70288ebe26993c9457679a8d42badc1174f758569be20304baec

    Download Submit