Overview

overview

8

Static

static

c4af7298c6...d0.exe

windows7-x64

8

c4af7298c6...d0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    7s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe

  • Size

    161KB

  • MD5

    66fc2fb19cd6b028612201b24ca9d232

  • SHA1

    3ebe63324a641b259ee5cc2fe2f05589efcdbadb

  • SHA256

    c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0

  • SHA512

    75b07851d7242863d6a8c356d79afeed69e488c11e28569e4e7e34cdd465c17d9325c467d3c9e89a939c4c5c8fe4bbab6c7b6c5f9b2b2cdd34bab8bf3f760b61

  • SSDEEP

    3072:IWDdpkGLGqEIYebgLBHFTmrnb5qaD7Zc9dbqBZFc9/+Yzunep:IWfLLGq9YebsRmrYaD7ZQ0XS94nep

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe
    "C:\Users\Admin\AppData\Local\Temp\c4af7298c6d231c289c0d6d1d0752573624bd714a6bf3b72df5560b7cea869d0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\hexec.exe
      "C:\Windows\system32\hexec.exe" C:\Windows\system32\go.bat
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\go.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\msdsa.exe
          msdsa.exe -:installonly
          4⤵
          • Executes dropped EXE
          PID:3700
        • C:\Windows\SysWOW64\net.exe
          net start MSDSA
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:928
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start MSDSA
            5⤵
              PID:4544
    • C:\Windows\SysWOW64\msdsa.exe
      C:\Windows\SysWOW64\msdsa.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:3900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\go.bat
      Filesize

      234B

      MD5

      2d775f85e78e8d54f1fe88a6890e4ce5

      SHA1

      d01c31b5e613887bf4f3d1f6065d161bfbbe297d

      SHA256

      e658989c7ec02d319d5c0151281d048c19d2bd89d43b6e067797161cf3c74bd0

      SHA512

      71214c0439015c13a5af492aed52d260bbe644032170f80c0ef2884804c859e510078f7c3cbfc8d5a60444ef70858d7a66f161aa0c8f5e0cdf9920e3dbbbcfa2

      Download Submit

    • C:\Windows\SysWOW64\hexec.exe
      Filesize

      17KB

      MD5

      8156fa5e0fe92c906c005148802b3e34

      SHA1

      0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

      SHA256

      c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

      SHA512

      48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

      Download Submit

    • C:\Windows\SysWOW64\hexec.exe
      Filesize

      17KB

      MD5

      8156fa5e0fe92c906c005148802b3e34

      SHA1

      0c2b95bb8d7ef2adbd951bad306d1508d7dd3d39

      SHA256

      c62b3297b7134b0a0e9a133627a34dfd587dc37de91bac2900a137a579ff46ae

      SHA512

      48ff99b4b0cb495c857192c1afd5332afaf2d3196b1ea5cddcd8b69e7bcdca6770209c6fce7e6976bc77c44b7ac7e32365791c1cfaa14c3825f84870aa5c52cb

      Download Submit

    • C:\Windows\SysWOW64\msdsa.exe
      Filesize

      35KB

      MD5

      f4fe580cc6de481af8947ed94c6fe2cf

      SHA1

      49d3710dd959a5b26e473c25da483bed28ac1e2a

      SHA256

      c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

      SHA512

      cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

      Download Submit

    • C:\Windows\SysWOW64\msdsa.exe
      Filesize

      35KB

      MD5

      f4fe580cc6de481af8947ed94c6fe2cf

      SHA1

      49d3710dd959a5b26e473c25da483bed28ac1e2a

      SHA256

      c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

      SHA512

      cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

      Download Submit

    • C:\Windows\SysWOW64\msdsa.exe
      Filesize

      35KB

      MD5

      f4fe580cc6de481af8947ed94c6fe2cf

      SHA1

      49d3710dd959a5b26e473c25da483bed28ac1e2a

      SHA256

      c5d9a3f1706eefcdf4fbb96d9a51f1ccde711505c1dc4e199988926f6eaf0660

      SHA512

      cbd03477067ab1cb70e16a4bd2d96733f351d715c48ddda9955719ede5efe57fad9391945ab304cce481a475833f4655c83a266326eedeb64c7502dc4d5a40d4

      Download Submit

    • C:\Windows\SysWOW64\msdsa.ini
      Filesize

      3KB

      MD5

      70d8d7027563b67fcb56d44488656416

      SHA1

      895d9a9e7df42c9fbdab1f5298f14b2ffb928787

      SHA256

      50e1e3e5f045f673b06f67964abf23a14325dd9416d5fedf181c0b9be826520d

      SHA512

      916e99f5e666a54581dd8413c52b50b25beb88a9316ed7cf8e91b9737e6a4df429772f28f2f29376f16818a3cecffaed4260ac8504c0be85917c003e391a22b7

      Download Submit

    • memory/928-143-0x0000000000000000-mapping.dmp

      Download

    • memory/2040-132-0x0000000000000000-mapping.dmp

      Download

    • memory/3700-140-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3700-142-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3700-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3900-147-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3900-148-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3900-149-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/4544-144-0x0000000000000000-mapping.dmp

      Download

    • memory/5040-135-0x0000000000000000-mapping.dmp

      Download