Overview

overview

8

Static

static

f81716c599...57.exe

windows7-x64

8

f81716c599...57.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 15:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe

  • Size

    158KB

  • MD5

    51e43e48dcb2fd793e5d78de0dc96f19

  • SHA1

    f3f8efc48628a059fd7d2a3d063983d790705013

  • SHA256

    f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57

  • SHA512

    e3c65821013bec7737d4a6d96e39034e8057a57a250bb74ccd22f267302a71c737a947ab9becb6db4bf9158135208be848e8c706ff1c9ddc6a319f4d89a380ae

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6uMN4hRI9wZVOC:PbXE9OiTGfhEClq9FKxPryyB

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
    "C:\Users\Admin\AppData\Local\Temp\f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:4168
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs"
        3⤵
          PID:4508

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs
            Filesize

            228B

            MD5

            b99237809014a06f99eabc55d2f5a364

            SHA1

            1b810e31da125fdd1663795c34e6a7011ea8e6dc

            SHA256

            ecbffb9d445e74a2d4d1085dded375264727a10e0860988e6136a8e22540fc69

            SHA512

            627ced7f0a3e021ce5c7e3c3da589889643c9507bd54e55c5ed02b02e12e0967380737efb95209f742cc91ed0bfa76c0406756206901c0acb0a8b17882c38933

            Download Submit

          • C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat
            Filesize

            2KB

            MD5

            713648a9fea60e8f16e05017a60c0d78

            SHA1

            7251903592a551256ffcd6c622ab155f94087f43

            SHA256

            ec32361cd45f9b611c10724b2d1600c13d2c76f4c56901aa47e7323fe3baf1ad

            SHA512

            af9df0aaa22a3a8bd353133a2218ffd469dcc2a570ec2846de39c92384fe7f5afea7df8147a734624e22b361db54d6db2552337ea22b598d782bbe0640acdac6

            Download Submit

          • C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs
            Filesize

            153B

            MD5

            88006170f635e5aa130a41520eeb0978

            SHA1

            a5b576d4a407769dd1b50eff76fe7a6f1937ec22

            SHA256

            51cc7c49ab0085a5b1f33b04d489845561dab8c6cf7c6f87e000edf2aee05c57

            SHA512

            c0120849c2d31c52ed490eb5f43000a85d089dc4343e12b8d45f4b38ee4a5cefe76344665ead038479adcc475c951df8c12ced8a2930ebf579f96787ea9114ef

            Download Submit

          • C:\Program Files (x86)\Ik\Ed\yanhuidirect.tt
            Filesize

            27B

            MD5

            213c0742081a9007c9093a01760f9f8c

            SHA1

            df53bb518c732df777b5ce19fc7c02dcb2f9d81b

            SHA256

            9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

            SHA512

            55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            1KB

            MD5

            25d003bfee5ab825611b187c29fab298

            SHA1

            5790e27656ec129e9f16ce9dd22eeab03d9a407d

            SHA256

            54cfd761d1ebb73908d8bd1ec02c6a77db16adf0566d5a28244518b7bd920d90

            SHA512

            5d784865904e7998ecb94bfe89f02fba50e6edff0f78691c7e030d0ca39802f75fbcfca3a0c07ec967c5883d85f32f4560109b1e3a69fa6aa816dc609de156a7

            Download Submit