Overview

overview

7

Static

static

3

787cac0429...a5.exe

windows7-x64

7

787cac0429...a5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    787cac04295f81ec2fcc4d02e4c477579caf909d6c7685498408a4cc8101eca5.exe

  • Size

    2.3MB

  • MD5

    0636d779e31acaa547ab6c6a8a7b222e

  • SHA1

    b26b10fc2017a68d3c1c60aa6b969d52e3a7e53b

  • SHA256

    787cac04295f81ec2fcc4d02e4c477579caf909d6c7685498408a4cc8101eca5

  • SHA512

    150abcceafe9ea4509fc2df7403fc94dcffca698b3dce2a6f8e2b784e34930551e11c4bc092aa7a85f535736ad434215d64bd14ad3b267bf3fd3424b9d6c2053

  • SSDEEP

    49152:gy63QQgrb/TCvO90dL3BmAFd4A64nsfJ0+8lGgTl75Cgf8b1a15kOgx:c3Rl+Itv15k

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\787cac04295f81ec2fcc4d02e4c477579caf909d6c7685498408a4cc8101eca5.exe
    "C:\Users\Admin\AppData\Local\Temp\787cac04295f81ec2fcc4d02e4c477579caf909d6c7685498408a4cc8101eca5.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Public\Downloads\calc.exe.exe
      "C:/Users/Public/Downloads/calc.exe.exe "
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:5004
    • C:\Windows\system32\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.txt
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2064
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1996
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.txt
    Filesize

    6B

    MD5

    4297f44b13955235245b2497399d7a93

    SHA1

    601f1889667efaebb33b8c12572835da3f027f78

    SHA256

    96cae35ce8a9b0244178bf28e4966c2ce1b8385723a96a6b838858cdd6ca0a1e

    SHA512

    263fec58861449aacc1c328a4aff64aff4c62df4a2d50b3f207fa89b6e242c9aa778e7a8baeffef85b6ca6d2e7dc16ff0a760d59c13c238f6bcdc32f8ce9cc62

    Download Submit

  • C:\Users\Public\Downloads\calc.exe.exe
    Filesize

    44KB

    MD5

    2f82623f9523c0d167862cad0eff6806

    SHA1

    5d77804b87735e66d7d1e263c31c4ef010f16153

    SHA256

    9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

    SHA512

    7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

    Download Submit