Analysis

  • max time kernel
    101s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 10:10

General

  • Target

    984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe

  • Size

    24KB

  • MD5

    b7238e895dacb08dc02cc9fffe8d6ae6

  • SHA1

    50dc839b70238b7978172fad5da7decc1a3670af

  • SHA256

    984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589

  • SHA512

    058c5555b3dd12040b232f87ab8786f5c343ec3a2f338cc2d7f9c0116e648e1d85d59265281a37ca40a7b4d3fe9bdb808a40d9339f52332909a9643fe00cd213

  • SSDEEP

    384:GFMhenvo5s+k2abxKHBRZkZTlzOPRlDA/dUIC3RYAdi25M7S/2oEm:oMhyQa2abxKHBRZkZxSHL3tdi25aE2lm

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe
        "C:\Users\Admin\AppData\Local\Temp\984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Windows\bot.exe
          "C:\Windows\bot.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\bot.exe

      Filesize

      12KB

      MD5

      a58bf9fc0d40be326f68e2ea2c27a6a0

      SHA1

      d6e9084dbf3aa6c0d3aea737e4fa65488ac6e5de

      SHA256

      98dcb2580c7de1860f30c119ad12a8986578eee1b1b6925ae8e718709992c4d5

      SHA512

      40419d6f5cc64fe21c6c23ce8306318b68801e17dce703948e23c2f0600f890d92e2a674f501dd36b6774ac0f41ad436da0f1f199ff2724f4a324a99f04e7182

    • C:\Windows\bot.exe

      Filesize

      12KB

      MD5

      a58bf9fc0d40be326f68e2ea2c27a6a0

      SHA1

      d6e9084dbf3aa6c0d3aea737e4fa65488ac6e5de

      SHA256

      98dcb2580c7de1860f30c119ad12a8986578eee1b1b6925ae8e718709992c4d5

      SHA512

      40419d6f5cc64fe21c6c23ce8306318b68801e17dce703948e23c2f0600f890d92e2a674f501dd36b6774ac0f41ad436da0f1f199ff2724f4a324a99f04e7182