Overview

overview

8

Static

static

ebeeb662e8...06.exe

windows7-x64

8

ebeeb662e8...06.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe

  • Size

    968KB

  • MD5

    9c8f72d5efa2aa19232daf2a45d60b1d

  • SHA1

    3aea74916f1fe3564b8bea5d162b77ed37be5917

  • SHA256

    ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006

  • SHA512

    27ef28ef54fcb23caa74faec809d1512670b1bcaddceff96dde320236aad8b4df451d76bd99880df337442a5840a5611c110ae836fa1592d806f31cfd8be2475

  • SSDEEP

    24576:ZI39dmzGv6o1MB8KpuxvAUjxD0lPplgYbhgebVKo0Ld8:Z6dqGaBf8RA4IDgY9Vbv4e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2484
      • C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe
        "C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB0E6.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4992
          • C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe
            "C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4536
            • C:\Users\Admin\AppData\Local\Temp\is-8Q6AK.tmp\is-1SM3R.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-8Q6AK.tmp\is-1SM3R.tmp" /SL4 $80204 "C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe" 727495 52224
              5⤵
              • Executes dropped EXE
              PID:4772
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1424
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2744

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$aB0E6.bat
        Filesize

        722B

        MD5

        2e0f465618f1d4ddf654c08784516897

        SHA1

        1df69660ea7044100c9f3a9789e7bc3720a50b0a

        SHA256

        89e90462e753d32b204dd6c3e176ae199e6f8ac9bc33ed15b208825eae5290c7

        SHA512

        66441bf31f80fef75877b3997fadbbeb83838eb2ca4dbe7fb60c1aa255ff5858757312e7ef6e86d717a10e41f6285d06d42d608835c511827b82610a87a3b58b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe
        Filesize

        939KB

        MD5

        e54a31b7d0694f18d4fe26f96e3ce967

        SHA1

        b4e8f8af3043a14f6a2aaee41230eaa8bdfed714

        SHA256

        812c498ebb2994b0478d2f7583d2e12c1d3be0e086717788e975063eaf44158d

        SHA512

        ed746eeabd77daeb947db7ec0f1c86258dea3de75d39beca72f7fe3659d8b4ce1a8bac99636da4164d8fc8740ddd7395b4cbb329ad39954221c56c6703e7d20b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ebeeb662e8a6a93bedfe6a54813422e7fec69e347965d570b998d3468fa07006.exe.exe
        Filesize

        939KB

        MD5

        e54a31b7d0694f18d4fe26f96e3ce967

        SHA1

        b4e8f8af3043a14f6a2aaee41230eaa8bdfed714

        SHA256

        812c498ebb2994b0478d2f7583d2e12c1d3be0e086717788e975063eaf44158d

        SHA512

        ed746eeabd77daeb947db7ec0f1c86258dea3de75d39beca72f7fe3659d8b4ce1a8bac99636da4164d8fc8740ddd7395b4cbb329ad39954221c56c6703e7d20b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-8Q6AK.tmp\is-1SM3R.tmp
        Filesize

        647KB

        MD5

        b683339ce008e97a0243a0f83bca1e09

        SHA1

        a8a4c078225ec9d94912762bda3a745d83dbe8f4

        SHA256

        5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

        SHA512

        c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-8Q6AK.tmp\is-1SM3R.tmp
        Filesize

        647KB

        MD5

        b683339ce008e97a0243a0f83bca1e09

        SHA1

        a8a4c078225ec9d94912762bda3a745d83dbe8f4

        SHA256

        5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

        SHA512

        c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        2f43a1a338606cae45b4618f19a77628

        SHA1

        9f6bce5c7bf29ddb8c3463571793aec48e977a9b

        SHA256

        45d99b0c3bd885cae1693cc9dc368926b86b312d84ce6656c8fc7128989686ce

        SHA512

        feb7cd27b67e87e0b566b9d1519d1be2870b46b85c0de845386f0a525d64b73870450378a54a5b907ba1b7e1c567258c3b82db81707eac630280a6c3e6d1d044

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        2f43a1a338606cae45b4618f19a77628

        SHA1

        9f6bce5c7bf29ddb8c3463571793aec48e977a9b

        SHA256

        45d99b0c3bd885cae1693cc9dc368926b86b312d84ce6656c8fc7128989686ce

        SHA512

        feb7cd27b67e87e0b566b9d1519d1be2870b46b85c0de845386f0a525d64b73870450378a54a5b907ba1b7e1c567258c3b82db81707eac630280a6c3e6d1d044

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        2f43a1a338606cae45b4618f19a77628

        SHA1

        9f6bce5c7bf29ddb8c3463571793aec48e977a9b

        SHA256

        45d99b0c3bd885cae1693cc9dc368926b86b312d84ce6656c8fc7128989686ce

        SHA512

        feb7cd27b67e87e0b566b9d1519d1be2870b46b85c0de845386f0a525d64b73870450378a54a5b907ba1b7e1c567258c3b82db81707eac630280a6c3e6d1d044

        Download Submit

      • memory/1436-136-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1436-132-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3416-145-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3416-152-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4536-146-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4536-151-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

        Download