Overview

overview

8

Static

static

1

f33af993fd...97.exe

windows7-x64

8

f33af993fd...97.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/03/2023, 01:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597.exe

  • Size

    3.3MB

  • MD5

    1232537c161e32f904ce36d4f29c71d0

  • SHA1

    1bc2fdc280628cebb4a3f0104a642df02e98b27c

  • SHA256

    f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597

  • SHA512

    25b288318cc05bdbb40a1f9feeef550703354ae75b6582be3a052c32c0f2bc31978e7e00aa4516f6a9faff4b64fd3432fd5374b1df0b3ae30998c827e47c8b76

  • SSDEEP

    98304:uviz/27qWGq/TzuqCDl2Ptao7jk8zatt1N3:uviq75/TzufvpN3

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597.exe
    "C:\Users\Admin\AppData\Local\Temp\f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\ProgramData\WindowsDefender.exe
          "C:\ProgramData\WindowsDefender.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops autorun.inf file
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\ProgramData\WindowsDefender.exe" "WindowsDefender.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:908
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3436

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\WindowsDefender.exe
          Filesize

          122KB

          MD5

          b870be9d6f1afe7effb70c01388fd45d

          SHA1

          58496b46542ef55b1d155d4cc266c3d976cca1a3

          SHA256

          b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2

          SHA512

          22ef3f80f7ff1793725284f85927719ac6518b929ad109c8187d05c404d9244f6240b2448dfdfceb5215e78caf963e2418a18ce1d81e18924733a246ebb726ab

          Download Submit

        • C:\ProgramData\WindowsDefender.exe
          Filesize

          122KB

          MD5

          b870be9d6f1afe7effb70c01388fd45d

          SHA1

          58496b46542ef55b1d155d4cc266c3d976cca1a3

          SHA256

          b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2

          SHA512

          22ef3f80f7ff1793725284f85927719ac6518b929ad109c8187d05c404d9244f6240b2448dfdfceb5215e78caf963e2418a18ce1d81e18924733a246ebb726ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
          Filesize

          2KB

          MD5

          340b294efc691d1b20c64175d565ebc7

          SHA1

          81cb9649bd1c9a62ae79e781818fc24d15c29ce7

          SHA256

          72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

          SHA512

          1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
          Filesize

          13KB

          MD5

          3e7ecaeb51c2812d13b07ec852d74aaf

          SHA1

          e9bdab93596ffb0f7f8c65243c579180939acb26

          SHA256

          e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

          SHA512

          635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
          Filesize

          6.1MB

          MD5

          424bf196deaeb4ddcafb78e137fa560a

          SHA1

          007738e9486c904a3115daa6e8ba2ee692af58c8

          SHA256

          0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

          SHA512

          a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
          Filesize

          6.1MB

          MD5

          424bf196deaeb4ddcafb78e137fa560a

          SHA1

          007738e9486c904a3115daa6e8ba2ee692af58c8

          SHA256

          0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

          SHA512

          a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
          Filesize

          122KB

          MD5

          4634044951decb927b22e24b09d33389

          SHA1

          88350c9864e74abafb1467b281bdf56fade90ec2

          SHA256

          d763c417efe104d0b2c1e960f1cabf4189180cdf541daeb5eaac066792b69b17

          SHA512

          5c97fd6a54fc987860374945e08257f49431725c06bcd2d4dfcb455442b8d9a06965ff3674f78a2d02620ee248b136e7ef0715e0a54116718970d115ec85d249

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
          Filesize

          122KB

          MD5

          b870be9d6f1afe7effb70c01388fd45d

          SHA1

          58496b46542ef55b1d155d4cc266c3d976cca1a3

          SHA256

          b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2

          SHA512

          22ef3f80f7ff1793725284f85927719ac6518b929ad109c8187d05c404d9244f6240b2448dfdfceb5215e78caf963e2418a18ce1d81e18924733a246ebb726ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
          Filesize

          122KB

          MD5

          b870be9d6f1afe7effb70c01388fd45d

          SHA1

          58496b46542ef55b1d155d4cc266c3d976cca1a3

          SHA256

          b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2

          SHA512

          22ef3f80f7ff1793725284f85927719ac6518b929ad109c8187d05c404d9244f6240b2448dfdfceb5215e78caf963e2418a18ce1d81e18924733a246ebb726ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
          Filesize

          122KB

          MD5

          b870be9d6f1afe7effb70c01388fd45d

          SHA1

          58496b46542ef55b1d155d4cc266c3d976cca1a3

          SHA256

          b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2

          SHA512

          22ef3f80f7ff1793725284f85927719ac6518b929ad109c8187d05c404d9244f6240b2448dfdfceb5215e78caf963e2418a18ce1d81e18924733a246ebb726ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
          Filesize

          4B

          MD5

          b326b5062b2f0e69046810717534cb09

          SHA1

          5ffe533b830f08a0326348a9160afafc8ada44db

          SHA256

          b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b

          SHA512

          9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
          Filesize

          322KB

          MD5

          c3256800dce47c14acc83ccca4c3e2ac

          SHA1

          9d126818c66991dbc3813a65eddb88bbcf77f30a

          SHA256

          f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

          SHA512

          6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
          Filesize

          322KB

          MD5

          c3256800dce47c14acc83ccca4c3e2ac

          SHA1

          9d126818c66991dbc3813a65eddb88bbcf77f30a

          SHA256

          f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

          SHA512

          6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

          Download Submit

        • memory/2308-173-0x00000000049E0000-0x00000000049E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2308-172-0x0000000000750000-0x0000000000760000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3176-183-0x0000000002B80000-0x0000000002B90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3176-184-0x0000000005320000-0x0000000005321000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3176-190-0x0000000002B80000-0x0000000002B90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3176-191-0x0000000002B80000-0x0000000002B90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3176-202-0x0000000002B80000-0x0000000002B90000-memory.dmp

          Filesize

          64KB

          Download