Overview

overview

8

Static

static

eb2c258568...34.exe

windows7-x64

8

eb2c258568...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe

  • Size

    209KB

  • MD5

    092e0add784eeba4e827cf6ba4974697

  • SHA1

    6a99174453742da9593e5f5aa2322004329c0667

  • SHA256

    eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34

  • SHA512

    e6b8a49823bfc325f0efc2ad735fe514fe8ae49b8d00d4b1e3011f9ca9493a23746daf7d26c3d8e76aed6136516a5c8aebe88d10aac77e1fd91430ee78f68862

  • SSDEEP

    6144:6/RS6GzafQElV3mmqzMvS6GzafQElV3mmqzC:6/RN48V3mm/N48V3mmp

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe
    "C:\Users\Admin\AppData\Local\Temp\eb2c258568c39bc27e324f829d928a9921f664ea750d2bc3a2f3a51e62d3ef34.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\mbmexgp.exe
      "C:\Users\Admin\AppData\Local\Temp\mbmexgp.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies WinLogon
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        PID:4732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hteo.vbs"
      2⤵
        PID:3508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hteo.vbs
      Filesize

      243B

      MD5

      b6160dedcf4889d526e3d85bcab88a38

      SHA1

      77c51dd9842f498e7127e30e0c28973be3002237

      SHA256

      b7b50001b6c440cf3effb1ba837988eb9c69f24af1dd182f204c5e0ef23e7cf8

      SHA512

      8f64b1b924358955b4b16584f9cca7aece0c2aba776c517f6889ff3238a5ac63b55144bfa4458d92dfc6583760bcd3721412996a15578ea7b10f960c97c7836c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mbmexgp.exe
      Filesize

      64KB

      MD5

      3f568b3289dbe148de0562c0c82b99d9

      SHA1

      37ace7dbadb88e9c881c7df1761b443d4837c1a6

      SHA256

      00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

      SHA512

      0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mbmexgp.exe
      Filesize

      64KB

      MD5

      3f568b3289dbe148de0562c0c82b99d9

      SHA1

      37ace7dbadb88e9c881c7df1761b443d4837c1a6

      SHA256

      00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

      SHA512

      0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      Filesize

      64KB

      MD5

      3f568b3289dbe148de0562c0c82b99d9

      SHA1

      37ace7dbadb88e9c881c7df1761b443d4837c1a6

      SHA256

      00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

      SHA512

      0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      Filesize

      64KB

      MD5

      3f568b3289dbe148de0562c0c82b99d9

      SHA1

      37ace7dbadb88e9c881c7df1761b443d4837c1a6

      SHA256

      00918eb2cd50827a542d5a34f54c4e373fb6e64f931368ed5ce1552aaa18fa5e

      SHA512

      0d939177b53d52ce5612e28ca6a4b1402b39a7c192b092967d4ab842bc7b74716f2b2568a9af6fccc9279474b99ee959a1c4796eec78588a371e3e200a6dbe04

      Download Submit