Overview

overview

7

Static

static

7b9bb413f7...33.exe

windows7-x64

3

7b9bb413f7...33.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2023 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe

  • Size

    1.5MB

  • MD5

    34beaa69b367754e9cf8a6a9371edf5c

  • SHA1

    e380cbaff884da11ea08c4916018f46bd569dde0

  • SHA256

    7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433

  • SHA512

    92e1a74cd9d81153367dbefc46f95cc598cf49dc7ff6cf14e18c1eb906f773187d08fcecd60251ae58884c3d1d8b8b52b2a9a88bca919d6a928196544544fbae

  • SSDEEP

    24576:Ooi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnF:O3Tq24GjdGSgw+W7SCRnVQTEQ/BA8

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe
    "C:\Users\Admin\AppData\Local\Temp\7b9bb413f70473b65af5164a696f357451d06b2fd8cd44726cb3887de2e8b433.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1146.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:5004
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 3712
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:100
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:3892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1146.tmp.bat
      Filesize

      57B

      MD5

      13d9062f8bca9b1cfe09ae30939f4b5d

      SHA1

      e05228b16bfc35ccfa187766e3723ecc52138c1f

      SHA256

      9308018cbb2adb3824db52857d1c2a132b94ecb31799a84df625c1e1112043e0

      SHA512

      7391e355e0d348de76cbbf41bef2050c5a9a495d3847f932933ccad70d25b61f5901000efe491668a5eb545e80e1721303ca2e2238fa13c9d110ced89d49e296

      Download Submit

    • memory/3712-132-0x00000000008B0000-0x0000000000A34000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3712-133-0x00000000053F0000-0x0000000005456000-memory.dmp

      Filesize

      408KB

      Download