Overview

overview

8

Static

static

680067a153...32.exe

windows7-x64

8

680067a153...32.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    680067a153585ff02763b098dcf5239ddbd8173c2a2976c77f68d30c9bfb1932.exe

  • Size

    897KB

  • MD5

    e19332c8fae47a03db83ecc7b566c7ef

  • SHA1

    1666bd1fa122f8dfc0830ad64349625d5af108c0

  • SHA256

    680067a153585ff02763b098dcf5239ddbd8173c2a2976c77f68d30c9bfb1932

  • SHA512

    af11d76acdf21e845ea3ba864ec459b52b601b16efc6aabc994ee5c0a2c78fcb4083b4c561bce0245bbc1167d4e32e1aa6a75f6888dc141ed981a5fe3af900b6

  • SSDEEP

    12288:MYUQxvtN/hTaV84DA6i65jmpWqt3v0Kp8ZyuckuNMLQUfq9yvUr7WRYVG7mVotDY:dxvtN/KbivvNwyuZiYQYaFaRp7o2t1m

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\680067a153585ff02763b098dcf5239ddbd8173c2a2976c77f68d30c9bfb1932.exe
    "C:\Users\Admin\AppData\Local\Temp\680067a153585ff02763b098dcf5239ddbd8173c2a2976c77f68d30c9bfb1932.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Extracted\jbdsa.exe
        "C:\Extracted\jbdsa.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Extracted\jbdsa.exe
    Filesize

    156KB

    MD5

    2ca16065b611b7c86014788df367b652

    SHA1

    c10435bcd1d53dcc1e89c82a9c4bd7ed8aec77cd

    SHA256

    49be3d6bc80e5b658a9654b8a47af7b9cbab76e32437eb8ea27d4ed84b5c583f

    SHA512

    26a6ccb9685f41ad85bbd41e4543b9371b97bb57db307958a1a4eb1794cd6bc2e82f3124f294f3bd2d19756d41bb1c4fa4833deb0c7453b8078a813fd96de4ba

    Download Submit

  • C:\Extracted\jbdsa.exe
    Filesize

    156KB

    MD5

    2ca16065b611b7c86014788df367b652

    SHA1

    c10435bcd1d53dcc1e89c82a9c4bd7ed8aec77cd

    SHA256

    49be3d6bc80e5b658a9654b8a47af7b9cbab76e32437eb8ea27d4ed84b5c583f

    SHA512

    26a6ccb9685f41ad85bbd41e4543b9371b97bb57db307958a1a4eb1794cd6bc2e82f3124f294f3bd2d19756d41bb1c4fa4833deb0c7453b8078a813fd96de4ba

    Download Submit

  • C:\Extracted\jbdsa.jbd
    Filesize

    849B

    MD5

    38f7d1544651a08d311d02ff8937d58e

    SHA1

    5bbb033089ab117efa5c8d7fc45ecc1dda24759e

    SHA256

    55d3eb013092806c142de9d83e3a25fede1a2fce0ba731c50d003af6184e2ed3

    SHA512

    5062a435004da4035df958117fc570ebfbc3899abb48bd5e78de76225d4fc187fc421598f878e24c39229508926215165506151838f8ce00b875765784a2dc5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    Filesize

    854KB

    MD5

    812adaf3b684f055fa09f4ed7c3cd76a

    SHA1

    aef1a1f19ba2486f5e72f5d0715872c2d7113038

    SHA256

    917004292ef5bcf2b48ac78ea481460cbdedd7edc842f56da6743975cd144466

    SHA512

    d9e4b005d186ada990a206f6d5e5d29f385f913d9684fd0e625c6cb87d7639a84c357e64d1eb8817c94357b22e6addd45c32c4d9a84b86f8ad7038e1bb1736dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    Filesize

    854KB

    MD5

    812adaf3b684f055fa09f4ed7c3cd76a

    SHA1

    aef1a1f19ba2486f5e72f5d0715872c2d7113038

    SHA256

    917004292ef5bcf2b48ac78ea481460cbdedd7edc842f56da6743975cd144466

    SHA512

    d9e4b005d186ada990a206f6d5e5d29f385f913d9684fd0e625c6cb87d7639a84c357e64d1eb8817c94357b22e6addd45c32c4d9a84b86f8ad7038e1bb1736dd

    Download Submit

  • memory/1536-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2340-132-0x00007FF99C4F0000-0x00007FF99CF26000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3236-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3236-139-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3236-143-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download