The submitted file c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec.bin is a RANSOMWARE |
SHA256 | c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec |
File Name | c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec.bin |
File Type | Win32 EXE |
Environment | Windows10 |
Analysis Start Time | 2023-05-05 11:08:30 (UTC) |
Analysis End Time | 2023-05-05 11:14:05 (UTC) | Tags |
Static Analysis MALICIOUSNetwork Analysis MALICIOUSDynamic Analysis MALICIOUSFile Analysis NO THREATS |
|
|
— -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty |
— HerbalEssentials.exe |
— icacls "C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db" /deny *S-1-1-0:(OI)(CI)(DE,DC) |
— HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask |
— build2.exe |
— build3.exe |
— C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe" |
— conhost.exe 0xffffffff -ForceV1 |
— WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task" |
— HERBAL~1.EXE |
— WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task" |
— mstsca.exe |
— WINWORD.EXE /Automation -Embedding |
— svchost.exe -k netsvcs -p -s wuauserv |
— wmiadap.exe /F /T /R |
— SecurityHealthService.exe |
— svchost.exe -k LocalService -p -s CDPSvc |
— C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db\HERBAL~1.EXE |
— C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build2[1].exe |
— C:\Users\Administrator\AppData\Local\2f034c97-b4f5-43ed-8124-c436714816aa\build2.exe |
— C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\get[1].htm |
— C:\Users\Administrator\AppData\Local\bowsakkdestx.txt |
— C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build3[1].exe |
— C:\Users\Administrator\AppData\Local\2f034c97-b4f5-43ed-8124-c436714816aa\build3.exe |
— C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm |
— C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe |
— C:\Users\Administrator\AppData\Local\4007ce47-e5e0-4174-8096-7425f719def7\build2.exe |
— C:\Users\Administrator\AppData\Local\4007ce47-e5e0-4174-8096-7425f719def7\build3.exe |
— C:\Windows\System32\perfc009.dat |
— C:\Windows\System32\perfh009.dat |
— C:\Windows\INF\WmiApRpl\WmiApRpl.h |
— C:\Windows\INF\WmiApRpl\WmiApRpl.ini |
— C:\Windows\INF\WmiApRpl\0009 |
— C:\Windows\System32\PerfStringBackup.INI |
— HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL |
Registry | Value |
---|---|
HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper | "C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db\HERBAL~1.EXE" --AutoStart |
HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4024204036-1465485123-3602351515-500\\Device\HarddiskVolume2\Windows\System32\conhost.exe | Binary Data |
HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime | DWORD (0x01ac12c1) |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFile | WmiApRpl.ini |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter | DWORD (0x000029be) |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help | DWORD (0x000029bf) |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter | DWORD (0x00002918) |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help | DWORD (0x00002919) |
HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List | 10520 10526 10536 10546 10566 10610 10620 10658 10664 10680 |
Type | Indicator | Reputation |
---|---|---|
IP Address | 116[.]202[.]1[.]171 | Malicious |
IP Address | 123[.]140[.]161[.]243 | Malicious |
IP Address | 175[.]126[.]109[.]15 | Malicious |
IP Address | 211[.]59[.]14[.]90 | Malicious |
IP Address | 95[.]158[.]162[.]200 | Malicious |
IP Address | 189[.]143[.]215[.]84 | Malicious |
IP Address | 190[.]141[.]132[.]105 | Malicious |
IP Address | 211[.]104[.]254[.]139 | Malicious |
IP Address | 190[.]229[.]19[.]7 | Malicious |
IP Address | 189[.]245[.]136[.]247 | Malicious |
IP Address | 211[.]53[.]230[.]67 | Malicious |
IP Address | 210[.]182[.]29[.]70 | Malicious |
IP Address | 211[.]119[.]84[.]111 | Malicious |
IP Address | 84[.]224[.]34[.]240 | Malicious |
IP Address | 175[.]119[.]10[.]231 | Malicious |
IP Address | 190[.]140[.]140[.]75 | Malicious |
IP Address | 37[.]34[.]248[.]24 | Malicious |
Domain | zexeq[.]com | Malicious |
Domain | colisumy[.]com | Malicious |
URL | hxxp://116[.]202[.]1[.]171/drivers[.]zip | Malicious |
URL | hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** | Malicious |
URL | hxxp://zexeq[.]com/files/1/build3[.]exe | Malicious |
URL | hxxp://colisumy[.]com/dl/build2[.]exe | Malicious |
URL | hxxp://116[.]202[.]1[.]171/ | Malicious |
Sha256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 | Anomalous Activity |
Sha256 | 4ca995875e46b16dfc89d1310737e0c0722adaf49b76de2a5179fc2149f1f173 | Anomalous Activity |
Method | URL | IP | HTTP Status |
---|---|---|---|
GET | hxxp://zexeq[.]com/test1/get[.]php?pid=***&first=*** | 123[.]140[.]161[.]243 | 200 |
POST | hxxp://116[.]202[.]1[.]171/ | 116[.]202[.]1[.]171 | 200 |
GET | hxxp://colisumy[.]com/dl/build2[.]exe | 210[.]182[.]29[.]70 | 200 |
GET | hxxp://zexeq[.]com/files/1/build3[.]exe | 123[.]140[.]161[.]243 | 200 |
GET | hxxp://116[.]202[.]1[.]171/31c7719b5ee962fbde376b75e771360d | 116[.]202[.]1[.]171 | 200 |
GET | hxxp://116[.]202[.]1[.]171/drivers[.]zip | 116[.]202[.]1[.]171 | 200 |
GET | hxxp://www[.]msftconnecttest[.]com/connecttest[.]txt | 13[.]107[.]4[.]52 | 200 |
Domain | IP |
---|---|
www[.]msftconnecttest[.]com | 13[.]107[.]4[.]52 |
api[.]2ip[.]ua | 162[.]0[.]217[.]254 |
r[.]bing[.]com | 104[.]77[.]173[.]121 104[.]77[.]173[.]122 104[.]77[.]173[.]120 104[.]77[.]173[.]106 104[.]77[.]173[.]152 104[.]77[.]173[.]35 104[.]77[.]173[.]153 104[.]77[.]173[.]131 104[.]77[.]173[.]136 |
colisumy[.]com | 210[.]182[.]29[.]70 211[.]119[.]84[.]111 84[.]224[.]34[.]240 190[.]229[.]19[.]7 189[.]143[.]215[.]84 175[.]119[.]10[.]231 211[.]104[.]254[.]139 190[.]140[.]140[.]75 37[.]34[.]248[.]24 123[.]140[.]161[.]243 |
zexeq[.]com | 123[.]140[.]161[.]243 175[.]126[.]109[.]15 211[.]59[.]14[.]90 95[.]158[.]162[.]200 189[.]143[.]215[.]84 190[.]141[.]132[.]105 211[.]104[.]254[.]139 190[.]229[.]19[.]7 189[.]245[.]136[.]247 211[.]53[.]230[.]67 |
t[.]me | 149[.]154[.]167[.]99 |
JA3S | Domain |
---|---|
61be9ce3d068c08ff99a857f62352f9d | api[.]2ip[.]ua |
098e26e2609212ac1bfac552fbe04127 | t[.]me |
c8d5b17a0fd5b4ee799ca8bd692fee69 | r[.]bing[.]com |
Sha256 | FileType |
---|---|
d8d2ad3bf7ac898ac658ae85641788321a8c669dad97bfc852d5087d1d55ee84 | text/plain |
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df | text/plain |
4ca995875e46b16dfc89d1310737e0c0722adaf49b76de2a5179fc2149f1f173 | application/x-dosexec |
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 | application/x-dosexec |
eca1f91b1295d8606d563f82158902016bcd85d29e1439600367bedf69bcb62a | text/plain |
253a34e3bd4db5d3f62e0a468c4cb8f53af4ba00b30c23261bb02fe5a4348cd9 | application/zip |
5e9a7996fe94d7be10595d7133748760bf8348198b71b7a50fd8affaa980ac61 | text/plain |
Connections | IP |
---|---|
UDP | 40[.]81[.]94[.]65 |
TCP | 116[.]202[.]1[.]171 40[.]126[.]17[.]135 123[.]140[.]161[.]243 20[.]3[.]187[.]198 204[.]79[.]197[.]200 20[.]44[.]10[.]122 20[.]198[.]188[.]157 184[.]31[.]212[.]208 23[.]54[.]93[.]139 13[.]89[.]179[.]12 13[.]107[.]4[.]52 13[.]71[.]55[.]58 142[.]250[.]193[.]138 162[.]0[.]217[.]254 184[.]50[.]18[.]95 184[.]25[.]160[.]170 52[.]165[.]165[.]26 20[.]195[.]114[.]44 20[.]190[.]146[.]36 142[.]250[.]182[.]10 138[.]91[.]171[.]81 8[.]241[.]168[.]254 210[.]182[.]29[.]70 149[.]154[.]167[.]99 104[.]77[.]173[.]121 52[.]167[.]17[.]97 52[.]168[.]112[.]66 20[.]190[.]146[.]33 142[.]250[.]193[.]106 152[.]195[.]38[.]76 118[.]214[.]139[.]83 |