Overview

overview

8

Static

static

a221f60d2f...b4.exe

windows7-x64

8

a221f60d2f...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 15:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a221f60d2f2fe22d9f17b931e401f1dd4a1be6e32fcc0d337d72d1120b493db4.exe

  • Size

    159KB

  • MD5

    8876e1a379e1977b4bf30ef3d95a4866

  • SHA1

    518b6dc60cd1a43d0d67813debc93b7dc724428a

  • SHA256

    a221f60d2f2fe22d9f17b931e401f1dd4a1be6e32fcc0d337d72d1120b493db4

  • SHA512

    fd8feafe774041a74f459267d03bc42d3796e0c84af6ccc665043a2fe3303fe207ca93c4fbdeaaed6b66dc0a34bddc7b2f2d7205eb90b97842ad91770a0a0082

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6Kl8bgQlYgSV4ykWn:PbXE9OiTGfhEClq9FKx7lCgQ7i4ykWn

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a221f60d2f2fe22d9f17b931e401f1dd4a1be6e32fcc0d337d72d1120b493db4.exe
    "C:\Users\Admin\AppData\Local\Temp\a221f60d2f2fe22d9f17b931e401f1dd4a1be6e32fcc0d337d72d1120b493db4.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\IAg\Okl\qyauzeletdvenadtsatqqqqqqqqqqqqqqqqqqqq.bat" "
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\IAg\Okl\saywontmeforjob.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:4296
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\IAg\Okl\lik000000000acodab.vbs"
        3⤵
          PID:4980

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\IAg\Okl\lik000000000acodab.vbs
            Filesize

            173B

            MD5

            889861b416316e401af3404867f1e470

            SHA1

            797bda994a544df6e285cf2c7422e9f1e8b8b308

            SHA256

            c870ac25ddd69a842712f85ef7eab52dd95c31ad782b977c473a893573680be3

            SHA512

            e3a268bb40117d745514030105996d633e29a11b80fe02b02323977f00f19af485eddb8505321667dc82616b61eec277c80c6e52cac65cfe949ec7b95383c1ba

            Download Submit

          • C:\Program Files (x86)\IAg\Okl\moodin_life.ee
            Filesize

            41B

            MD5

            dd2fa6635addbd2da704d836b6d97974

            SHA1

            c5640dd9507f7633fd9faad7a70ae6f928d446de

            SHA256

            215dccb151a040d1a9bf89fd11aa6206a36ee88382a8c65399af70f7acf9f47a

            SHA512

            d5faa9e30e3d9b615fabd55b93f474847c70296bc5d59b8bb71b6c8d601c5bd24c5667c49c48b3bdbc35a91ea71faa748327ee0ba89e75c3a312b862b86e2f7b

            Download Submit

          • C:\Program Files (x86)\IAg\Okl\qyauzeletdvenadtsatqqqqqqqqqqqqqqqqqqqq.bat
            Filesize

            2KB

            MD5

            1ea018f711a6925369ca820a50374ad3

            SHA1

            4d3c08db78ad6df9505d24415b68f95daa3f3470

            SHA256

            4f5ed2fc31111cd7297617b2038d9696f7623ad4e1887bf74fc5fb8d8965da1c

            SHA512

            0a8cf2c4c9344cc79514bf4c0e718b85d4e8713257808c756285bf761565ff0a4ccee7612009214293fca44a49196a4f45e56934c0e916921732cfb6a62e1afa

            Download Submit

          • C:\Program Files (x86)\IAg\Okl\saywontmeforjob.vbs
            Filesize

            941B

            MD5

            3e9cdc028a84284241f2c4420b231a42

            SHA1

            eda18dea64ada8cad4dffa3afdaf2cf5a9286c2a

            SHA256

            4a07a6ef48b5f0bcadb582016d63566896006e2cb44c281200041f869137fbba

            SHA512

            bdb2b44da825dff32aa30f29b5c56c0d617d81994846c6e5563bb0f11bb821fbedbcea9c360ed5f7d1f8dc99ff1179ca39f965a02ba817512fe5af089d303d5a

            Download Submit

          • C:\Program Files (x86)\IAg\Okl\smellliketeeen.sp
            Filesize

            27B

            MD5

            213c0742081a9007c9093a01760f9f8c

            SHA1

            df53bb518c732df777b5ce19fc7c02dcb2f9d81b

            SHA256

            9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

            SHA512

            55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

            Download Submit