Overview

overview

7

Static

static

1

test.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    54s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/04/2023, 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    430KB

  • MD5

    26b81ae52bf2c73d19636e5a364a17ed

  • SHA1

    3ce65b5a03e1d3a50b3e07fa66f4f482269d5745

  • SHA256

    fadf983d577d2731c074e876bb030be0b76d9fc91abd0a4a54c2b28c6c0b96de

  • SHA512

    279232967e33fdd1e3be13122ec43fc5c3eccd5c59395b0d2c66684b016b1ccdb0db96a1b6abf0b9f313ee8e1ae6ef2e25c00d0d205d94223861ca57dc1c9cf1

  • SSDEEP

    12288:xgZXEAO/BUdG3gVdt7K1mzRcX3loDHHJv0H:xgZXoZUTVdt7K1wcXVojVc

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HanzoInjection.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HanzoInjection.exe" -e .\Client.bin
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client.bin
    Filesize

    101KB

    MD5

    2af4f70043462062e4186c834806d19e

    SHA1

    9eb18c890ebc5c736ecbe56718e98d8e1239a1ff

    SHA256

    4c2d88bb0c75cefc9f476949052e6a23ab2a5e01bba7d4f867ed53985453d14f

    SHA512

    47d07402c49688e27c296aef65dc704482022f3d2e22a6333364335b13ff5c0fe4b3465a473f746425c308b275981ef3243b3996d344d1a981b73129adba2b3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HanzoInjection.exe
    Filesize

    23KB

    MD5

    3c2a8db247527288a270e1576d7ce508

    SHA1

    ee5931476a0469fd6bfcbe0bf3f611a54e87e07b

    SHA256

    26eb454fac222152fca9b79a2f782d4ad0ed774e5b857f808ceeee29f9901286

    SHA512

    235f419ef8d0de335dd41cca426369bc6739c92a9e957006f8557d56dfb17c50b0745c4313e1c298bdfe20b7f3f9e7f20ca873dfc1d39d4377a3fc447456d355

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HanzoInjection.exe
    Filesize

    23KB

    MD5

    3c2a8db247527288a270e1576d7ce508

    SHA1

    ee5931476a0469fd6bfcbe0bf3f611a54e87e07b

    SHA256

    26eb454fac222152fca9b79a2f782d4ad0ed774e5b857f808ceeee29f9901286

    SHA512

    235f419ef8d0de335dd41cca426369bc6739c92a9e957006f8557d56dfb17c50b0745c4313e1c298bdfe20b7f3f9e7f20ca873dfc1d39d4377a3fc447456d355

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs
    Filesize

    112B

    MD5

    a547bf3ce0f09ef3ef72fc4b3a28f717

    SHA1

    16ab352b5d859d50aaeb53694f2b694f74942813

    SHA256

    97caab642ccdfea9a9763842de93524ed42c5a8bce1813c3348245341c6f85b6

    SHA512

    61a22fa1c1799c11991baa3500fd8d80f8615b56c30e8c03f18bbed8e5bd3188eef22727de86cf67f971ab23ddd800424a7f1d0a7b5f5a38f3e09e955c7cb1f3

    Download Submit

  • memory/4596-148-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-147-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-144-0x0000000000190000-0x000000000019C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4596-149-0x0000000006300000-0x000000000639C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4596-150-0x0000000006950000-0x0000000006EF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4596-151-0x0000000006410000-0x0000000006476000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4596-152-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-153-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-154-0x0000000007380000-0x00000000073F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4596-155-0x0000000007420000-0x000000000743E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4596-156-0x0000000007540000-0x00000000075D2000-memory.dmp

    Filesize

    584KB

    Download