Overview

overview

8

Static

static

d9a3dd5545...84.exe

windows7-x64

8

d9a3dd5545...84.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    372s
  • max time network
    409s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9a3dd55455a83eff0c5fd4f0cd1c640271faf4fd1962ac40f7775cf2c785e84.exe

  • Size

    885KB

  • MD5

    c7e94f8d0907a897a5fe77a4a627021f

  • SHA1

    1096ecb165a32d63176806b49ba926399675efdd

  • SHA256

    d9a3dd55455a83eff0c5fd4f0cd1c640271faf4fd1962ac40f7775cf2c785e84

  • SHA512

    8603fbccc2510d0d1d520e984ed278ec241c378a79345322aa1c8ff6ef8e911a578117da779303c0f97f5dde13d9bf29274af874312415e2187cb6fffb7de938

  • SSDEEP

    24576:P2O/Glk/25Mro6osNLushLOnfsczkAdMmx8lX:Hs6o69Osc1dMmU

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9a3dd55455a83eff0c5fd4f0cd1c640271faf4fd1962ac40f7775cf2c785e84.exe
    "C:\Users\Admin\AppData\Local\Temp\d9a3dd55455a83eff0c5fd4f0cd1c640271faf4fd1962ac40f7775cf2c785e84.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\Adobe64x\invis.vbs" "C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe
        "C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
          4⤵
            PID:3400
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
            4⤵
              PID:3132
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
                5⤵
                • Views/modifies file attributes
                PID:3392
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              4⤵
                PID:3044
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                4⤵
                  PID:552
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  4⤵
                    PID:4676
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    4⤵
                      PID:4780
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      4⤵
                        PID:840
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c cls
                        4⤵
                          PID:1560
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp53525.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp53525.bat"
                          4⤵
                            PID:3000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp10375.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp10375.exe"
                            4⤵
                              PID:4824
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp53525.bat "C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe"
                              4⤵
                                PID:2232

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\ztmp\tmp53525.bat
                          Filesize

                          503B

                          MD5

                          3b5338c91d0a1724ee27af0d6bcee496

                          SHA1

                          15fc51c52ddcd17a257708e8d38e59e366c14411

                          SHA256

                          a439daa2dc4ab8f75cb4a72c57c3abbb354395f2ae7bc56838e2367f4500bd2b

                          SHA512

                          2b4d9b42b86f0eeeaf6e0ddb8f9256607238acc74da4bc340c51f7a853fb06cf5ff42b954140a83167a58e883d13703bd208e3b54f6ec080e0268b208fc3a178

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe
                          Filesize

                          80KB

                          MD5

                          68173453ee08e070325318fcf0c05a0c

                          SHA1

                          bb2ac36c15ca14ebf12a412ad700e40983c9e599

                          SHA256

                          a5045efd33b0ba42ae63dfe4d8d29244e0b6dd2e70c53bf38bad57d7983e5df2

                          SHA512

                          52b39efffbb1080871ffee15ef1aedb9447edc5265608e237a44e42820b051f29d4c9e34448ad31d015489e36e6910063691cae4b33ddd0c1492ea143b83bdb1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Adobe64x\bat.exe
                          Filesize

                          80KB

                          MD5

                          68173453ee08e070325318fcf0c05a0c

                          SHA1

                          bb2ac36c15ca14ebf12a412ad700e40983c9e599

                          SHA256

                          a5045efd33b0ba42ae63dfe4d8d29244e0b6dd2e70c53bf38bad57d7983e5df2

                          SHA512

                          52b39efffbb1080871ffee15ef1aedb9447edc5265608e237a44e42820b051f29d4c9e34448ad31d015489e36e6910063691cae4b33ddd0c1492ea143b83bdb1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Adobe64x\invis.vbs
                          Filesize

                          78B

                          MD5

                          c578d9653b22800c3eb6b6a51219bbb8

                          SHA1

                          a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                          SHA256

                          20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                          SHA512

                          3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                          Download Submit

                        • memory/552-142-0x0000000000000000-mapping.dmp

                          Download

                        • memory/840-145-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1560-146-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2232-149-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2348-139-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3000-147-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3044-141-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3132-138-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3392-140-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3400-137-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4576-135-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4676-143-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4780-144-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4824-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/5072-132-0x0000000000000000-mapping.dmp

                          Download