Overview

overview

8

Static

static

9d933a0336...53.exe

windows7-x64

8

9d933a0336...53.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d933a0336aa143b7463cdf6f58af4b7b59a22c1f1b8b084336e535a5c1a3e53.exe

  • Size

    895KB

  • MD5

    64a39dbf2652437e496b8b43c06a086d

  • SHA1

    e5ff3dfbbdb1031f162da86fcfcf6fb5ee9cccd0

  • SHA256

    9d933a0336aa143b7463cdf6f58af4b7b59a22c1f1b8b084336e535a5c1a3e53

  • SHA512

    8b103bada7aa7cbb125a0dddd8c0d55250d94f9e38269deb9ff0310d24f1bf651d6d8eccb4a49b1ca4348be97aa384de91686a184a30269b375a6a3f52e3623d

  • SSDEEP

    24576:PxaVxr52HfbIvbchh78MI8mBEtUeMz3sqFW8qH3c1T:Pzf+CH4EtUZ3sayH3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d933a0336aa143b7463cdf6f58af4b7b59a22c1f1b8b084336e535a5c1a3e53.exe
    "C:\Users\Admin\AppData\Local\Temp\9d933a0336aa143b7463cdf6f58af4b7b59a22c1f1b8b084336e535a5c1a3e53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\mama\alone.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Windows\temp\mama\mama.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:1576
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Windows\temp\mama\hide.reg
        3⤵
        • Runs .reg file with regedit
        PID:1788
      • C:\Windows\temp\mama\mirc.exe
        C:\Windows\temp\mama\mirc.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Windows\temp\mama\close.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /IM explorer.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4196
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Windows\temp\mama\open.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3336
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            5⤵
            • Modifies Installed Components in the registry
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:404
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +S C:\Windows\temp\mama
        3⤵
        • Views/modifies file attributes
        PID:4564
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3432
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\mama\hide.reg
    Filesize

    156B

    MD5

    ba69a92d706424c6a96eb632673a5a22

    SHA1

    037505009e9c210983e33bf378f0dbca7a77091d

    SHA256

    88fc8f754bee1f4f8f4405908d6b8e69e41536e75b90de1763a8545c1683b398

    SHA512

    24517d89dbd7556a261b4c3593078e71674e48277c2cf3285a2999c8e2c5f17568e2ca826760b7176c4370b562e09995226e5c7462c6172d07dc62c9f99607e1

    Download Submit

  • C:\Windows\Temp\mama\mama.reg
    Filesize

    1KB

    MD5

    48e283d4a1e4451e2229a2d874dff7e4

    SHA1

    a1f76820bbbacb5fd2e7159efa9144799982ec96

    SHA256

    1c78bd99923496959abe8e82121d7261240400455ff6f5262d5951fa46988bef

    SHA512

    30d1caa6479ca885eed77a9c695756bf1f2b13c4c7012361eb9be96e42d0f06c61ba2aaab44b47dd2a73aac83f2e29028b79968050bec0e22d06fb9da2461762

    Download Submit

  • C:\Windows\Temp\mama\mirc.exe
    Filesize

    1.8MB

    MD5

    76e19751217fcb561233da821f84e8ea

    SHA1

    9dac3680bc6236dac8b2bc11e095cb20b38670de

    SHA256

    1b9f5ee2dc56c04ff0baae58af51cd313a9e788c1fc96530f73681982d1473a9

    SHA512

    f8a9927e49a07449ab8424d61f020ee79ab4e0335b9b3975702eedc6df9e06fffc27ef0a5e9ac8a4d37c5ee1784a488f084c69a904e06abb9a455333dfe5d404

    Download Submit

  • C:\Windows\temp\mama\aliases.ini
    Filesize

    11B

    MD5

    2218df9cdffc814a3dc25c81dd8619dd

    SHA1

    0290f796218937f61331adc8803788e7cd4c2299

    SHA256

    455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1

    SHA512

    7aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa

    Download Submit

  • C:\Windows\temp\mama\alone.bat
    Filesize

    235B

    MD5

    5561169dc8e886c577d00b2db7514b58

    SHA1

    d059f43e3c141e6e6359967829f4095226d18d4b

    SHA256

    d6944506194694d25604b1c15d086bc838e719201ee9e391d09573c4eacf0bdd

    SHA512

    1a5892a399ea0560f598f759dba6a3ccb3fa94ad653a9745b5fd3c8573f7fd0ecd53651c745a35ca1381de3702c177d39985e2f924b0a6c40cb2f38ca39de103

    Download Submit

  • C:\Windows\temp\mama\baby.mir
    Filesize

    11KB

    MD5

    b42589421e37d65a2fc8eb2db1b84a6d

    SHA1

    8a6cebfa58d31deb8fedf71e2072151c5957c1ff

    SHA256

    47261d366c97bf513072358263e791b04c88a34af472d97b7634de4f05627b91

    SHA512

    3bd753d2c840f7bcc374fa38c40a06980b76e4c0d75693c7dbddb4fce10a51ccb9f43ad637d867e61b4a606a0ec93e44681132200d4c4a48e148371ed08bcb40

    Download Submit

  • C:\Windows\temp\mama\close.bat
    Filesize

    84B

    MD5

    f61f3c46a73dce4d1b857dd5bc4e5a43

    SHA1

    6ad3d31e4a935f282069ba86cd1e0ef7416ea6e3

    SHA256

    560b149ea14639666158e48e71541c2f70b3d0a6bf42f26921bf939001105573

    SHA512

    252b7151a439e20f6689d90d804ace698e4a0738e02c33499a83003019fa1149dd9bb1f1ba74481d9cca226585ce7ef55ac5593933398cc4900926c069d80426

    Download Submit

  • C:\Windows\temp\mama\control.ini
    Filesize

    388B

    MD5

    599cdde505c45cab85da62e422fc8a14

    SHA1

    209e6e4b4cd78dd8e4a5eed2041d3d39764b96f1

    SHA256

    5fb7977eab536175d53da4a4759ee514df36d9baf965038f9613fa2569502abd

    SHA512

    8dc5bfbe189d3fad691c45698314890a103c90d24811e508cac9ac70adf04bca06db77151f2a5ecc91bd537572ec0d4d1bb99bc148884811745b1ebfd319197d

    Download Submit

  • C:\Windows\temp\mama\fullname.txt
    Filesize

    13KB

    MD5

    249cd6dd9eb68ce32f049e9a9d5bb412

    SHA1

    65eaac45a249ed0f47622f57b37c7e2e8794f4b3

    SHA256

    82cc53730158337e48dd6e709e63d95bbb0560dfc4df696b1a535e643940ca1f

    SHA512

    fdde53eda97997e00efc7e124f1fc6ba9ba5bbfc1943b7360fae12e43d461cdfb2583857d5b5b466487bbb125ef4807b81deeecd05258deb473d6893a0a275cd

    Download Submit

  • C:\Windows\temp\mama\ident.txt
    Filesize

    237KB

    MD5

    31975a5597b74f8f5e6dfa741cf7d0ce

    SHA1

    dd393df49eeb4b1b1aa46fc8e20b8d03b14d2252

    SHA256

    54d38cbcf9ea64960c533422857b03a384b055e6624a1e982b5163d0a8a41099

    SHA512

    3fcf672b6c47706660d519bb2b352c98afc3f4374d67e54be862131bad7648189c20e7c4bff8b8feede1268493824fc88befdd3a5ab0d92b75784e6918941338

    Download Submit

  • C:\Windows\temp\mama\jumbo.ico
    Filesize

    5KB

    MD5

    e09aa9787af5cc53fd7525dd6693cf10

    SHA1

    57445d0779a66c61741822c0a7988573efee13d7

    SHA256

    c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

    SHA512

    b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

    Download Submit

  • C:\Windows\temp\mama\mirc.exe
    Filesize

    1.8MB

    MD5

    76e19751217fcb561233da821f84e8ea

    SHA1

    9dac3680bc6236dac8b2bc11e095cb20b38670de

    SHA256

    1b9f5ee2dc56c04ff0baae58af51cd313a9e788c1fc96530f73681982d1473a9

    SHA512

    f8a9927e49a07449ab8424d61f020ee79ab4e0335b9b3975702eedc6df9e06fffc27ef0a5e9ac8a4d37c5ee1784a488f084c69a904e06abb9a455333dfe5d404

    Download Submit

  • C:\Windows\temp\mama\mirc.ini
    Filesize

    3KB

    MD5

    da78a92d8635a9df0fbc59902fe3a93d

    SHA1

    967cb8a22dd7f8d4f6ac54a9399ac7dc655d424c

    SHA256

    5394ca64e598578cec2a1bd80beacefc2e979247461e1a04ffdc78aabc228801

    SHA512

    329386f00498090182b23810f06cb30d71c38e9e4a9624a6d7a2ab6ae5e5233524e2aac38fbfcdf3350debb8f8676a051065eccc7e778fe5d614dbccce72e377

    Download Submit

  • C:\Windows\temp\mama\open.bat
    Filesize

    50B

    MD5

    96ce421de15fd180dd2b0cfda62a0f89

    SHA1

    55939da8b7fca6886aa2489456ff154fc24378d0

    SHA256

    3325717b334f4e427b561ac3cc182abd5a667a208a81f891716c25be51ceac30

    SHA512

    d98dee84198e4e21f85aaefc0a5631c90b6e5c27e63066e72c1ddeda83de1e354ed4422d6e228d9d11a72594bee9e068eab64d3ff4a75e539cb95c91ad7ac0b1

    Download Submit

  • C:\Windows\temp\mama\servers.ini
    Filesize

    920B

    MD5

    5ded5440d5902791051ab80a527d8813

    SHA1

    3de7852adec366d07c02daabc2f98b47e0d5d517

    SHA256

    a27891e84343c44f8481d8a3d92fc539819d8fdcf427b20ef3b2521f6d37099d

    SHA512

    498f16c8b5a4e676f213b81e1b9796413f1c5016b10e981f2e3f6a2a44e9f0812b247504293f3e1ca1711ee4bb023c6f0d13d1760b57a94b9b0db7607b17f264

    Download Submit

  • C:\Windows\temp\mama\users.ini
    Filesize

    222B

    MD5

    42ccab47e57ce3976627794d20424d1d

    SHA1

    a14ffddc1c3a5cea571f1f4504d7f34f53cf420e

    SHA256

    4ada316b1a455ee4f3276449e69155d8d1856716ab6f5f7ec5becd529a582327

    SHA512

    1e9c337b90d68a4df0d55b7c9ed96be5a6d64d69e16dca5e0656045a811fa09e6d49f69281c6f210e2d4485c85c54e53baaf7c0e5204e24e1d7837fbddac86a8

    Download Submit

  • memory/4396-170-0x000002AE18E4A000-0x000002AE18E4D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-177-0x000002AE18E87000-0x000002AE18E8A000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-164-0x000002AE17A90000-0x000002AE17AB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4396-169-0x000002AE18E4A000-0x000002AE18E4D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-188-0x000002AE18E90000-0x000002AE18E93000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-171-0x000002AE18E4A000-0x000002AE18E4D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-172-0x000002AE18E4A000-0x000002AE18E4D000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-174-0x000002AE16D70000-0x000002AE16E70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4396-176-0x000002AE18E87000-0x000002AE18E8A000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-189-0x000002AE18E90000-0x000002AE18E93000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-178-0x000002AE18E87000-0x000002AE18E8A000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4396-181-0x000002AE18E8C000-0x000002AE18E90000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4396-182-0x000002AE18E8C000-0x000002AE18E90000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4396-183-0x000002AE18E8C000-0x000002AE18E90000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4396-184-0x000002AE18E8C000-0x000002AE18E90000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4396-180-0x000002AE18E8C000-0x000002AE18E90000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4396-187-0x000002AE18E90000-0x000002AE18E93000-memory.dmp

    Filesize

    12KB

    Download