Overview

overview

7

Static

static

SOA.exe

windows7-x64

3

SOA.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 10:26

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA.exe

  • Size

    671KB

  • MD5

    774dc51d4da8bbc4e682008bf4d61aa2

  • SHA1

    0a12ab2bed3ce4e701e534df5c24bfef8dcc653b

  • SHA256

    b03d831a555a8366ac262fa9d13fde89b675803d41c57d36f07090a0cedab154

  • SHA512

    38bfce718ca25bba53e5ceb3de3c6b7c643bfdd358094ab8d0ec288415391146e029d778a43afe3edb86e4bf8d7fde2a65e3f553ee2467437f6b3de1eb3b2306

  • SSDEEP

    12288:UF3gflcMVpRY6HxOVU9z+EHE1tKuSoNvXOTwYM0:z6MVpcUptU9A

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
    Checks computer location settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BWhappphtUdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC0A.tmp"
      Creates scheduled task(s)
      PID:4336
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "{path}"
      PID:1936
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "{path}"
      PID:1872
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "{path}"
      PID:1924
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "{path}"
      PID:1788
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "{path}"
      PID:904

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEC0A.tmp
    Filesize

    1KB

    MD5

    651b9bb871e69166aaa89a438a067e5c

    SHA1

    c6f6b3a52d41ba94c9e8e569d1ebd725f4d13418

    SHA256

    a288d7bcd77f514a3dc2deb44f0a0a2b44284e794416fbaac209982ab18afad3

    SHA512

    9091170c30a11f419c73768e255038fbb0de604a625e7d18a91bf44e855e35f88b06c4349c457eda33b0c5ee55bda5930b2d8cd5c2e078195409b114297846da

    Download Submit
  • memory/4336-137-0x0000000000000000-mapping.dmp
    Download
  • memory/5048-132-0x0000000000480000-0x000000000052E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/5048-133-0x00000000054D0000-0x0000000005A74000-memory.dmp
    Filesize

    5MB

    Download
  • memory/5048-134-0x0000000004F20000-0x0000000004FB2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/5048-135-0x0000000004FC0000-0x000000000505C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/5048-136-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
    Filesize

    40KB

    Download