Overview

overview

7

Static

static

1

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Resubmissions

19-02-2023 04:43

230219-fcqmyaeb7x 7

18-02-2023 16:05

230218-tjg62acf62 7

Analysis

  • max time kernel
    497s
  • max time network
    500s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2023 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.0MB

  • MD5

    a83d528c3debe4486cc91b5922040711

  • SHA1

    765d88a6a2ac079c0a7a7ac23dc630b82095339b

  • SHA256

    446deb48d5641c4977a2cdf9eb3722cbd4170a2eebd2d8c6fca1430767af04ad

  • SHA512

    a8c3e4b182882e79a6b74f6d9cd6514d268b1703ff76c8e07dfb4944a7ed83051a8816b40b9a2c9927cdd73a09a932a0c2d9ea83a8007bd400d289c35b4e433f

  • SSDEEP

    24576:Nwksz4Fw2f16CwIUEirFZTUvIweQ3qRbYl6DLJMv4oVI1ZwF33z5hG4vkXZurFJ:4bCwIUE2jvdQ3mb1ZGvVkZ+3lfgy

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\517ed413-7642-48b7-a7f7-416d48d677d4\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit
  • memory/1952-132-0x0000000000BC0000-0x0000000000DD0000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1952-134-0x00007FF98E6A0000-0x00007FF98E7EE000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1952-135-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1952-140-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2652-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2652-137-0x000001E82FF80000-0x000001E82FFA2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2652-138-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2652-139-0x00007FF98FDF0000-0x00007FF9908B1000-memory.dmp
    Filesize

    10.8MB

    Download