Overview

overview

10

Static

static

10

832448fcb3...fa.exe

windows7-x64

7

832448fcb3...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe

  • Size

    221.2MB

  • MD5

    5a79d71298c80aaf94cad9354d687acc

  • SHA1

    0e2edb5daa563922bee17b0cf39a87b7dff25018

  • SHA256

    832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa

  • SHA512

    ab81a7ac51d857888a863fab15bd69d85dbf8cc636bc814915fb79e22d12b7cc2efe4b528fe0988a0fce68703dedd7d9e203619a354c16cffd9746fe6898abaa

  • SSDEEP

    6291456:D00QRvCviS8vs/tQB6M3SRdphg/UUJJ4eeZr1Mr+/0Wt7sgWZQ:+RvCviSm3SPg/Uyk1d/0WJ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe
    "C:\Users\Admin\AppData\Local\Temp\832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe
      "C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe" /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\Temp\{CF9A80C9-1AE0-4F07-B1C0-91549434A43F}\.cr\VC_redist.x64.exe
        "C:\Windows\Temp\{CF9A80C9-1AE0-4F07-B1C0-91549434A43F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /quiet /norestart
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\Temp\{33B83190-6FD6-4FA9-8B94-44208F025A0A}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{33B83190-6FD6-4FA9-8B94-44208F025A0A}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{78A9CFC3-A370-4DD8-A3CD-C7F378D9804A} {46539F82-0133-40FC-85C4-F28FCFB4683C} 5040
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          PID:4952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 964
          4⤵
          • Program crash
          PID:2964
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3820
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:728
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5040 -ip 5040
    1⤵
      PID:3872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Deep Sea Electronics Ltd\DSE Scada\install\VC_redist.x64.exe
      Filesize

      24.2MB

      MD5

      101b0b9f74cdc6cdbd2570bfe92e302c

      SHA1

      2e6bae42c2842b4f558bd68099479b929bb7d910

      SHA256

      4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

      SHA512

      ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

      Download Submit

    • C:\Windows\Tasks\C__Users_Admin_AppData_Local_Temp_832448fcb3cd222b62a08cdc9fabf2e6bffe92a6bdbcf481a0edcec65f965efa.exe.job
      Filesize

      378B

      MD5

      27b97df8cde8fa8699f3db751d727633

      SHA1

      530c737b639a18cd5d04e4056d753791510e612a

      SHA256

      8d817f4b87b29e0d1f25fe7ee52aba59ce70298888c6a5f7901e34461f214b75

      SHA512

      ec5403e16a7e39ea24de4eddeb907c3de1c0daab91648cb9bce8cb3877ab22a6c0c1444374a5ebb513b6547b92a64b72b1b09261c2c5666dacc1eae1d6676390

      Download Submit

    • C:\Windows\Temp\{33B83190-6FD6-4FA9-8B94-44208F025A0A}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{33B83190-6FD6-4FA9-8B94-44208F025A0A}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{CF9A80C9-1AE0-4F07-B1C0-91549434A43F}\.cr\VC_redist.x64.exe
      Filesize

      635KB

      MD5

      53e9222bc438cbd8b7320f800bef2e78

      SHA1

      c4f295d8855b4b16c7450a4a9150eb95046f6390

      SHA256

      0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

      SHA512

      7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

      Download Submit