Overview

overview

10

Static

static

10

22a164ed48...7f.exe

windows7-x64

9

22a164ed48...7f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

  • Size

    146KB

  • MD5

    a7be144ff0b871ddd45e1e0bef06faa6

  • SHA1

    811797d3e0ce7c5ed76ff656156a2c066f306032

  • SHA256

    22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f

  • SHA512

    caeec8ed5080f00fe1134b968c81f13660ac1a9312d1f151b676f2a0b3670b2c0440e00c8a5e398d91707be5989d34e547ff3d5b4facbba81705c41f52bb3367

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWep0AMmr7fTP+Gldf:46gDBGpvEByocWeRMa3P

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (617) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
    "C:\Users\Admin\AppData\Local\Temp\22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4312
    • C:\ProgramData\D90B.tmp
      "C:\ProgramData\D90B.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D90B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5204
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:408
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9B2CFCAC-CF4E-4029-AA17-2C85DC23FB9B}.xps" 133744686782280000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:4200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\OOOOOOOOOOO
      Filesize

      129B

      MD5

      fae4b8f62911f72a7648c5b5ca239d87

      SHA1

      acbf4c10651d5bf8d6fe70e82bd0afd433d4e80f

      SHA256

      bb0e6f82af486197379467aff567f724a270abe5186b59825f5e687feca6b713

      SHA512

      7943d2146aa1c818a43b657608bf7cbb0f3e1e7274192c043c64395e3e77887aa10e100fbd48c73e1c365b9565a4556e6b7387bba5771390c4f42b36de033386

      Download Submit

    • C:\OC9oMrMV8.README.txt
      Filesize

      343B

      MD5

      a8864aa0987b12bc59008a02c3ddda88

      SHA1

      54327dba296f734aae7ba65faf0b3dd8cb73b714

      SHA256

      168c71031668b64e0ccf26e81353f6eacb3599edbaf62f7aa62c55b8075a5a8f

      SHA512

      5a94b41a4f74354978c32dbe18d505bda8db0a0195f1df1749f81478c0bc0e022b744972f0c491a33b595fc9b21c7b5b59252ec5451b14cf15cbb6c936954dd8

      Download Submit

    • C:\ProgramData\D90B.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      d7eb3337e24f57c311ffecc05eef2be0

      SHA1

      4a08a276b156e3535491439b7b206c789dc5d51b

      SHA256

      bb1af566396f39cc72083481d6a5b454efb10b167318e77f4420f12c4916f3f4

      SHA512

      d77d2e0152484fb28c787a6358cd1e737dbeac3fddfb4ce847fc073f594ea87fb4c170848268304e1d65b9a240c9942f828123c194a21037df38dc18055ef757

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{05EF41B1-0B19-4B43-A446-E878F51543EF}
      Filesize

      4KB

      MD5

      ddc622d8ccc279d2f11e75bfb420ad2d

      SHA1

      bf3052fd423c2a7a1de27c60cd027c1113e4b738

      SHA256

      beb777e3f3844b58f270eefa148ec019895368925b0173d5628fd0f819546b2e

      SHA512

      1992dcc65f2db53920f41a24075f22ca3d99b8ea3e0f862c92516169e7394cdfe8cd644269c8396b845487bc5356f5507a139d29ff8c88175f0c056345e74730

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      d847587c3eeb2408b3bc65c224b2191a

      SHA1

      5d1af322ae7a804fb2053e22508a131dbd75d4de

      SHA256

      cf101241053d68cc2b937938dff4bdbe1d57686ed7fd1322dd4093aa1fe374f5

      SHA512

      f54fc875b7176014a3380401f05d833ce4cf42d181927c8097841c088ba71ef66de9c278ae52f6e1b618304c460ede6ac45066426ad9ea07e664b1875e90f8f3

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      cc534981bb3a4e0f6dd72f96e96d583a

      SHA1

      287e6e1b3d270d981e822971e20be010e06c61b5

      SHA256

      e3e5b01cf1a615795b4a20fcb62a72f4410e3bcb39af071cd00c6935df85cbc7

      SHA512

      e9d29492908460025896a0d4735d5db1fa838fbc9e19da58d65e560b674e4a9e064c7800aebbae7dd99a349027b76a32fdfe755516830e6ea089d87c5a07e05c

      Download Submit

    • memory/3236-2-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-2961-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-2962-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-2963-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-0-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-1-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-2981-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-2979-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-2982-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-3012-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-3013-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-2977-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4200-2980-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download