Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02/10/2022, 00:31
General
-
Target
5b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb.exe
-
Size
251KB
-
MD5
4f7ab5d4c49c066debaefb768f1db000
-
SHA1
d019b88f0a547914d4bc2e62451184807fb7d887
-
SHA256
5b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb
-
SHA512
0fcf110ccff218ff3d5cf712fda489e73a9fd103652350cda4c974f15c423fc20b21110b81ff94de45b6ac5a5837eea50c06ca54e44c662500c1c5a8e6f38c96
-
SSDEEP
3072:K4L9uT6U+45GZD1e8jdBv9+5An1HCfdHLU9d6c6V1YBLSkPPPmynIGoqqWOXK:LL9uT6B4lw+5An1HCfdguqHnIi
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb.exe"C:\Users\Admin\AppData\Local\Temp\5b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\xfcuik.exe"C:\Users\Admin\xfcuik.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD54f7ab5d4c49c066debaefb768f1db000
SHA1d019b88f0a547914d4bc2e62451184807fb7d887
SHA2565b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb
SHA5120fcf110ccff218ff3d5cf712fda489e73a9fd103652350cda4c974f15c423fc20b21110b81ff94de45b6ac5a5837eea50c06ca54e44c662500c1c5a8e6f38c96
-
Filesize
251KB
MD54f7ab5d4c49c066debaefb768f1db000
SHA1d019b88f0a547914d4bc2e62451184807fb7d887
SHA2565b0fc9842a36bac898fede9c6c5990fd5f0ce2f635c11184af81fb508e1c8cdb
SHA5120fcf110ccff218ff3d5cf712fda489e73a9fd103652350cda4c974f15c423fc20b21110b81ff94de45b6ac5a5837eea50c06ca54e44c662500c1c5a8e6f38c96