Overview

overview

10

Static

static

734f00eca0...3c.exe

windows7-x64

10

734f00eca0...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    734f00eca0f8673b03e2ec587076b3451bdb0c8d53561ac15f2632d665de613c.exe

  • Size

    224KB

  • MD5

    6f1502a0cb51b348a51beecaac85bfa0

  • SHA1

    f0c8b4d6895f505580abeead1663509bbe46b334

  • SHA256

    734f00eca0f8673b03e2ec587076b3451bdb0c8d53561ac15f2632d665de613c

  • SHA512

    742c46f592ba80980ce14d6d382f03145cdacd14ec5e8feb6c4542fc123441d231f2ef9387e6796df659fa5a6c2ef5e0253e053c9ddcafd7ddac0de3828d1ff2

  • SSDEEP

    3072:p4gaOXfWRrIMNRlZ62Pal2LBJXmzOHm5WZ3K+MCfnG/bXMPhR:prXepp3PJXCOGY3eunC7M

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\734f00eca0f8673b03e2ec587076b3451bdb0c8d53561ac15f2632d665de613c.exe
    "C:\Users\Admin\AppData\Local\Temp\734f00eca0f8673b03e2ec587076b3451bdb0c8d53561ac15f2632d665de613c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Users\Admin\cuotuiv.exe
      "C:\Users\Admin\cuotuiv.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cuotuiv.exe
    Filesize

    224KB

    MD5

    c19f4c2de642aea9b6548e0e176d4c3a

    SHA1

    ab146c2676570bd671c05a2895ae07d012d8d0e4

    SHA256

    f4c1c8311921d4753f6e94408b739ec814e9c57abf590c8f3bef2ae9842bf2cc

    SHA512

    89f929adafeb784a89a59d012afdea7cf003d252cfd2879f5d3701f5947f8c58692c86c3e4f27056416d7f9a8e5ed0ff228963f4cb7cbc3e859b7a6708dfda1c

    Download Submit

  • C:\Users\Admin\cuotuiv.exe
    Filesize

    224KB

    MD5

    c19f4c2de642aea9b6548e0e176d4c3a

    SHA1

    ab146c2676570bd671c05a2895ae07d012d8d0e4

    SHA256

    f4c1c8311921d4753f6e94408b739ec814e9c57abf590c8f3bef2ae9842bf2cc

    SHA512

    89f929adafeb784a89a59d012afdea7cf003d252cfd2879f5d3701f5947f8c58692c86c3e4f27056416d7f9a8e5ed0ff228963f4cb7cbc3e859b7a6708dfda1c

    Download Submit