Overview

overview

10

Static

static

610d7722e9...fb.exe

windows7-x64

10

610d7722e9...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe

  • Size

    68KB

  • MD5

    1d6c90d80ed41db48e6a4df1d4e474b0

  • SHA1

    9b9bb111792fccdb55aad65d9823f17710816e36

  • SHA256

    610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

  • SHA512

    fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

  • SSDEEP

    1536:lAUg7Xm0RmNAtk4myu4H1epSF3P5i8EKwr:lwa04N6myue4u5Qlr

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
    "C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
      C:\Users\Admin\AppData\Local\Temp\610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb.exe
      2⤵
      • Modifies firewall policy service
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
        "C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
          C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
          4⤵
          • Executes dropped EXE
          PID:4836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
    Filesize

    68KB

    MD5

    1d6c90d80ed41db48e6a4df1d4e474b0

    SHA1

    9b9bb111792fccdb55aad65d9823f17710816e36

    SHA256

    610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

    SHA512

    fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

    Download Submit

  • C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
    Filesize

    68KB

    MD5

    1d6c90d80ed41db48e6a4df1d4e474b0

    SHA1

    9b9bb111792fccdb55aad65d9823f17710816e36

    SHA256

    610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

    SHA512

    fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

    Download Submit

  • C:\Users\Admin\P-7-78-8964-9648-3874\winusm.exe
    Filesize

    68KB

    MD5

    1d6c90d80ed41db48e6a4df1d4e474b0

    SHA1

    9b9bb111792fccdb55aad65d9823f17710816e36

    SHA256

    610d7722e9af370ceaf66c692774e2361fc05bed43c28b2955e9e038c26a63fb

    SHA512

    fcd1ae1fea1bd55df28c14c03a5dc0cbb2e66894edb200e22915a88fae594c39b72d05ac40232ff7e911fbf4920f3b953cb6f0a5df4e4981913f89d6693cbeb0

    Download Submit

  • memory/2276-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4836-141-0x0000000000000000-mapping.dmp

    Download

  • memory/5116-132-0x0000000000000000-mapping.dmp

    Download

  • memory/5116-133-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5116-135-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5116-136-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5116-137-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download