Overview

overview

3

Static

static

fakeobs.zip

windows7-x64

1

fakeobs/7z...64.exe

windows7-x64

1

fakeobs/fake-obs.rar

windows7-x64

3

Analysis

  • max time kernel
    2s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2023 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fakeobs/fake-obs.rar

  • Size

    14.6MB

  • MD5

    3042215ebeefb5aae8808afc228771c9

  • SHA1

    4cd97d264155e2605880e138e33b8c50cebe24ee

  • SHA256

    dd17f2803a4332398dcada5ce9abfa246241b14bc9c250fbada5ecf5d6e38da7

  • SHA512

    25e64453d5224f56f46a73e8c2c64da12fe508357c0ffa3ef992b140ccd1fec30582a9f15a4030a6f11f9b653d3abc16454e3ee592bda40475efc716210f3f6c

  • SSDEEP

    393216:SblI9gCds0xuDDAQLq5OP7E0y+gtT2ppkMkK9Gbw27T+6j:Sbl/gxqD/L+j0y+E2kMV9GbT7SE

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\fakeobs\fake-obs.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fakeobs\fake-obs.rar
      2⤵
      • Modifies registry class
      PID:940

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/940-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1236-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

    Filesize

    8KB

    Download