Overview

overview

8

Static

static

f1a5d21735...3a.exe

windows7-x64

8

f1a5d21735...3a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    245s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 08:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f1a5d21735a65b031448f0a45c4c14eaf11e27c41853dad2a116ed95296b833a.exe

  • Size

    609KB

  • MD5

    38b9170daa56351b2a206521d0a4d23f

  • SHA1

    b5fa323cb683339dd94e005630a63a7fd303f997

  • SHA256

    f1a5d21735a65b031448f0a45c4c14eaf11e27c41853dad2a116ed95296b833a

  • SHA512

    8e5b61cbc298fb38125e0ef802efd5274830ae73e92fdd5cf14371b507688ea76eaa0ad5d19aa63be7054c27bfc1935e85bc0ff2ffdd0564182d1e50a3db74c1

  • SSDEEP

    12288:my7UCurTDV/Omeo8huhYO7ZPtFXYMgin0sYKnGL07tWRYKBT7tSyapU:my7U7Z/OV0v7RX/1n0BKa0I6KR2O

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a5d21735a65b031448f0a45c4c14eaf11e27c41853dad2a116ed95296b833a.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a5d21735a65b031448f0a45c4c14eaf11e27c41853dad2a116ed95296b833a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Local\Temp\½£»êרÓÃÁ¬·¢.exe
      "C:\Users\Admin\AppData\Local\Temp\½£»êרÓÃÁ¬·¢.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3316
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        3⤵
          PID:416
    • C:\Windows\mspaint.ini
      C:\Windows\mspaint.ini
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:4456

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Server.exe
              Filesize

              743KB

              MD5

              00257c9de12e366b216f86103fb665ce

              SHA1

              4c66574736799b1d79eb5e43e181a55aeb82df1b

              SHA256

              ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

              SHA512

              7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Server.exe
              Filesize

              743KB

              MD5

              00257c9de12e366b216f86103fb665ce

              SHA1

              4c66574736799b1d79eb5e43e181a55aeb82df1b

              SHA256

              ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

              SHA512

              7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\½£»êרÓÃÁ¬·¢.exe
              Filesize

              440KB

              MD5

              5ff87d94ed3cc3b4294e39ad8b8ebbaf

              SHA1

              d198418d17d400942a9f2ff4fc9243576df71766

              SHA256

              41a55300e4a040b925551614a51902936c494c2d950443b74b81eee81f71be05

              SHA512

              fdd76f165479ff07a331a42b6a33a85b208fb6eeb3833ebe2ab682d130ad5135d8613dc11cef71eeeb4efa850f50228639ff7020be2ae15aaa0eb74e4f69880c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\½£»êרÓÃÁ¬·¢.exe
              Filesize

              440KB

              MD5

              5ff87d94ed3cc3b4294e39ad8b8ebbaf

              SHA1

              d198418d17d400942a9f2ff4fc9243576df71766

              SHA256

              41a55300e4a040b925551614a51902936c494c2d950443b74b81eee81f71be05

              SHA512

              fdd76f165479ff07a331a42b6a33a85b208fb6eeb3833ebe2ab682d130ad5135d8613dc11cef71eeeb4efa850f50228639ff7020be2ae15aaa0eb74e4f69880c

              Download Submit

            • C:\Windows\mspaint.ini
              Filesize

              743KB

              MD5

              00257c9de12e366b216f86103fb665ce

              SHA1

              4c66574736799b1d79eb5e43e181a55aeb82df1b

              SHA256

              ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

              SHA512

              7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

              Download Submit

            • C:\Windows\mspaint.ini
              Filesize

              743KB

              MD5

              00257c9de12e366b216f86103fb665ce

              SHA1

              4c66574736799b1d79eb5e43e181a55aeb82df1b

              SHA256

              ccc1b1d6fef7aa622947cad9822aff50d09f84f1c26a2fb0b1bab3794d0c3f3d

              SHA512

              7ae3b75adb05e55b3139d7ecf4bb0ef0c3afc646e3fc491f4e3949595d1d0603c05e49c96c780db6c1b686f8a274000191f28dad2cd6a5aa71b066694f3311aa

              Download Submit

            • C:\Windows\uninstal.bat
              Filesize

              138B

              MD5

              108384deb7a65165fecad26c7a858e73

              SHA1

              72c2c562d4d2ce1ff9e09f89cffb21e8826b6aa0

              SHA256

              0a1c04dc426f3545e0a34a9a919dcd8203af726bf8cd1b7516b39f8faf43ada9

              SHA512

              6bee8f82c61e906a767f6710ca81d05961e8d1790c14447312721a09742a462751c860e483fad6ce89edc0018bcbeab021e882eae181c8cfbef23f7bc97fbff4

              Download Submit