Overview

overview

6

Static

static

9ea8802ad7...4e.exe

windows7-x64

6

9ea8802ad7...4e.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ea8802ad7f3eaac9e578939b75fd0c280bec567bcbe5c975f53841a1626d54e.exe

  • Size

    1.2MB

  • MD5

    d2bf483fba9f8c45f5e2c8ef73f7f3db

  • SHA1

    6907d737daacc2be85ad508b99d6eaf18238747b

  • SHA256

    9ea8802ad7f3eaac9e578939b75fd0c280bec567bcbe5c975f53841a1626d54e

  • SHA512

    f6b131ae1456cd9ddc114ac3c0169e984972aeae84c44529c949558605dd24084377126c1f726d74381006ef56a34b5858aa14597512009b6ad3501a44881107

  • SSDEEP

    24576:V1oWVB6F3KYAv9QqGz6rn9K5z1+XXYwCs:Q/dKbqz6rnswXXY

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 9 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ea8802ad7f3eaac9e578939b75fd0c280bec567bcbe5c975f53841a1626d54e.exe
    "C:\Users\Admin\AppData\Local\Temp\9ea8802ad7f3eaac9e578939b75fd0c280bec567bcbe5c975f53841a1626d54e.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im kavsvc.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4244
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im KVXP.kxp
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Rav.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ravmon.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5048
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Mcshield.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im VsTskMgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360tray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360sd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5052
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360rp.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/388-141-0x0000000000000000-mapping.dmp

    Download

  • memory/396-137-0x0000000000000000-mapping.dmp

    Download

  • memory/1984-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2092-136-0x0000000000000000-mapping.dmp

    Download

  • memory/3524-140-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3524-142-0x0000000000400000-0x0000000000538000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3604-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4244-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4716-133-0x0000000000000000-mapping.dmp

    Download

  • memory/5048-135-0x0000000000000000-mapping.dmp

    Download

  • memory/5052-139-0x0000000000000000-mapping.dmp

    Download