Overview

overview

8

Static

static

b77420a16d...3a.exe

windows7-x64

8

b77420a16d...3a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    46s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b77420a16dc2e3bed70e63fb428ff66c51ba35902c4467b86804e43d6d26b03a.exe

  • Size

    477KB

  • MD5

    acf13908b651c82d76391dda3574c6e0

  • SHA1

    ff0d66a8e6b6ab2ea79cf5e4962047098b82a4ba

  • SHA256

    b77420a16dc2e3bed70e63fb428ff66c51ba35902c4467b86804e43d6d26b03a

  • SHA512

    2cc12305e375ff980a6edb39f676a90e249d76becfa0646f90623104a90229fc2af28feb10c08b6e4c32debbdcf9d67aa19e389352e70f7c75358fd9257533bf

  • SSDEEP

    12288:w8blFZ0oXr/5NliDenCEkvjnVwEvLPwzJzu9OX2Ukx5vcEi0/3IWV2//c9Yc:w8blFZ0oXrHkjVwEvLPg3/O

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b77420a16dc2e3bed70e63fb428ff66c51ba35902c4467b86804e43d6d26b03a.exe
    "C:\Users\Admin\AppData\Local\Temp\b77420a16dc2e3bed70e63fb428ff66c51ba35902c4467b86804e43d6d26b03a.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WINDOWS\syf.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v disableregistrytools /t REG_DWORD /d 1 /f
        3⤵
        • Disables RegEdit via registry modification
        PID:544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WINDOWS\up.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\SysWOW64\net.exe
        net stop Security Center
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop Security Center
          4⤵
            PID:1768
        • C:\Windows\SysWOW64\net.exe
          net stop SharedAccess
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SharedAccess
            4⤵
              PID:1164
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp.\kij.reg
            3⤵
            • Runs .reg file with regedit
            PID:1756

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kij.reg
        Filesize

        277B

        MD5

        760776cff6f8d1efeb385795571eab6b

        SHA1

        d46945b4718ec40a04817473db3b3a8aed04e4cf

        SHA256

        7e1d14fa4078548b582f6767d786c82b1162333993ce68ba812a26671f6d0d0c

        SHA512

        cf72f32cd041d2ec728a9099453c4c105b691bd7fd839823e449dc852d39e7d38de61f1856f9e64ef5067cf967903c9a449a41450014507fb9510fbad1f3d3df

        Download Submit

      • C:\WINDOWS\syf.cmd
        Filesize

        146B

        MD5

        98909a52071d95321d93fb925a6a08c6

        SHA1

        3005d9f32dbaafd9b635165706cfaf1ee845259f

        SHA256

        6e505012e027a6d94bdbdc62008ed3188cb50768afc8cfa045ea82c4775f4ea9

        SHA512

        ff7cfeebe358375a0f1492d240b47787f5632228fc40cdc606f37c420dbd99b83bd375e77fb4b6f53af7c6990a859f58fdd1d67c4a02ba0fa970fe409de24524

        Download Submit

      • C:\WINDOWS\up.cmd
        Filesize

        659B

        MD5

        3317900ab5df93f2b01c17e2419c1416

        SHA1

        50835be300f4188de57777610bd113e3177b3e78

        SHA256

        50685526578bcbccfbae644ea19d63b3c87a312fecbfde8ca81ed58249a5b6ac

        SHA512

        96bcdd5afcdb97b2d51d25d784824518b7df346189b3f0f43573236e0bd841daeb70a8e1e368d8bc8025a1cef4fac6aebc36382679492c78d4f56b95333b2614

        Download Submit

      • memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

        Filesize

        8KB

        Download