Overview

overview

10

Static

static

3e5c0f8b68...14.exe

windows7-x64

10

3e5c0f8b68...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e5c0f8b68df44bf9ce8f9988ffb6b69c4790a843aa691221bfd9cb1387caa14.exe

  • Size

    132KB

  • MD5

    77408b674494181c6b1d63daf3a4c817

  • SHA1

    30be4d0bc13eefab473453e31ab55980e522aca4

  • SHA256

    3e5c0f8b68df44bf9ce8f9988ffb6b69c4790a843aa691221bfd9cb1387caa14

  • SHA512

    a9e58fe9dc5133cbfd3a635506b1dc642edda8bea3cf14344e9c53a78bb610bc7ad792c904985d6ef62fc0c567e960a7acfa216a887c08e417b2446a2941c101

  • SSDEEP

    3072:E3k/hPrdVfWM8RM/8KmwBErXXFefQmD8ampj4Qez:T/FX8/KmwBEjXFeos8aCXez

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e5c0f8b68df44bf9ce8f9988ffb6b69c4790a843aa691221bfd9cb1387caa14.exe
    "C:\Users\Admin\AppData\Local\Temp\3e5c0f8b68df44bf9ce8f9988ffb6b69c4790a843aa691221bfd9cb1387caa14.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\soairoz.exe
      "C:\Users\Admin\soairoz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\soairoz.exe
    Filesize

    132KB

    MD5

    5291d468824c95c5326f6528ebb791d9

    SHA1

    c0e5d448f72d96b42ab6c09bea05575f37cac4bb

    SHA256

    ac9fa44a021a7967ca7fcc8ce18b74c64fc5c4de8f5392c40078c8c61fc5dd5f

    SHA512

    5763bbae89415bb94cd53540e89d23aeb65fc16956c7aec0a883f81597448168a88c5bbacdfca075df15ba9e373cf9a611046ef178ad0f99e2bb23f95477262a

    Download Submit

  • C:\Users\Admin\soairoz.exe
    Filesize

    132KB

    MD5

    5291d468824c95c5326f6528ebb791d9

    SHA1

    c0e5d448f72d96b42ab6c09bea05575f37cac4bb

    SHA256

    ac9fa44a021a7967ca7fcc8ce18b74c64fc5c4de8f5392c40078c8c61fc5dd5f

    SHA512

    5763bbae89415bb94cd53540e89d23aeb65fc16956c7aec0a883f81597448168a88c5bbacdfca075df15ba9e373cf9a611046ef178ad0f99e2bb23f95477262a

    Download Submit