Overview

overview

8

Static

static

file.exe

windows7-x64

8

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2023 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    364KB

  • MD5

    857213733ec87a3449d87551b4e9b480

  • SHA1

    50dcee9476d0a277e6594855bc2bd9d346eec34b

  • SHA256

    e6f1142d31761fb10385b5f535aeebc3e0deaf71bf231fe8bb6925eb25b41759

  • SHA512

    e0982c4a84bee1bbe446e082495d956e4d13d62e4b10661488a89c266ef76c14497801a2966c05fb248bb99a5c97ed474939c53a83e3dc8de6a876e755a7c9e9

  • SSDEEP

    6144:kuGLs+bLo1Kd52UDsvg19UK7z+BsptYXX/ASf8JyI98vuZzxEmXCgyG:kuGw+bLEOsv+9tqsnYH/hfCKmZznS

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:5000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 824
      2⤵
      • Program crash
      PID:4588
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3544 -ip 3544
    1⤵
      PID:4972
    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      1⤵
      • Executes dropped EXE
      PID:1012

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      706.7MB

      MD5

      4653267a2df738b2b87493ee2bb527bf

      SHA1

      974f1d186a4f256565d7d71105a6f4feb32638ff

      SHA256

      0ff801b8f6be2e598b8c45ac6321eb3f3f36c4b447b808e1874ce3a2f620ed36

      SHA512

      fef112603ae645593140dab729f1571b95d854c2acea8da252b63d34170b186f6eacf8d48064ce747542335eaede2eb0e0200e824cd7ad78064a3c048bbc2ec5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      727.1MB

      MD5

      87e9ffc43edd994618d677cb13a9db18

      SHA1

      380d0014837611d79cec1962c3cf4b7c4da26504

      SHA256

      c84f1880bf7c7e338dfcbb07a1d8258c2bd786e969cd2f29da14fb538db074cc

      SHA512

      613f78329cc00c121220c529083e21887c359d919897e71d86454b05cc57a2dbefeb4b437005872448e043b7a6534dcad03c6ea7e88b47bd3bdc42fc1dcf2404

      Download Submit

    • memory/1012-140-0x000000000066D000-0x0000000000697000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1012-141-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1012-142-0x000000000066D000-0x0000000000697000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3544-133-0x00000000021C0000-0x0000000002207000-memory.dmp

      Filesize

      284KB

      Download

    • memory/3544-132-0x00000000004AE000-0x00000000004D8000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3544-134-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3544-136-0x00000000004AE000-0x00000000004D8000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3544-137-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download