Overview

overview

10

Static

static

3177bc9c4c...f2.exe

windows7-x64

10

3177bc9c4c...f2.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 21:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3177bc9c4c87a694fa044eddcd36dea04ea2367c3bc8b3c9449a5f1dd794e1f2.exe

  • Size

    376KB

  • MD5

    0a8c1bf2a5ff5e9bf1b4230f13437ae0

  • SHA1

    ef107972a8dd69044e947bb0277ac5dff5d28655

  • SHA256

    3177bc9c4c87a694fa044eddcd36dea04ea2367c3bc8b3c9449a5f1dd794e1f2

  • SHA512

    7385f40bab1ea7f2e916925da1a446a8a45872bd9caf4fc59c840a0f2027cba631f15d8b5a97865a2852d63482c0f2e97711b55b805445e5027ae322c974ec91

  • SSDEEP

    6144:9Eg3ZVYD3gkWi9BaAbHOVSL7Qm61FC84m2Hlh:bZVYTwi9cAiSLT61wfv

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3177bc9c4c87a694fa044eddcd36dea04ea2367c3bc8b3c9449a5f1dd794e1f2.exe
    "C:\Users\Admin\AppData\Local\Temp\3177bc9c4c87a694fa044eddcd36dea04ea2367c3bc8b3c9449a5f1dd794e1f2.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\buuvoar.exe
      "C:\Users\Admin\buuvoar.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1296

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\buuvoar.exe
          Filesize

          376KB

          MD5

          be1dcf3f18178b9b9541a766c6c1e4a3

          SHA1

          48b1bff6ae02867754eba2b1d969f7b85bd384f4

          SHA256

          88d427d587e5f51b40f7b3802a813c484e82b6639774d569dc29d6da1ecfb050

          SHA512

          a4bcb13318e525aa0505e44f740e1c4a973eb7ba4f6265daf52a88212a508cb4d39f73bf6c6342a5a758217d999d308493cc0e4b9e5180def5c3d76d3443a6c8

          Download Submit

        • C:\Users\Admin\buuvoar.exe
          Filesize

          376KB

          MD5

          be1dcf3f18178b9b9541a766c6c1e4a3

          SHA1

          48b1bff6ae02867754eba2b1d969f7b85bd384f4

          SHA256

          88d427d587e5f51b40f7b3802a813c484e82b6639774d569dc29d6da1ecfb050

          SHA512

          a4bcb13318e525aa0505e44f740e1c4a973eb7ba4f6265daf52a88212a508cb4d39f73bf6c6342a5a758217d999d308493cc0e4b9e5180def5c3d76d3443a6c8

          Download Submit

        • \Users\Admin\buuvoar.exe
          Filesize

          376KB

          MD5

          be1dcf3f18178b9b9541a766c6c1e4a3

          SHA1

          48b1bff6ae02867754eba2b1d969f7b85bd384f4

          SHA256

          88d427d587e5f51b40f7b3802a813c484e82b6639774d569dc29d6da1ecfb050

          SHA512

          a4bcb13318e525aa0505e44f740e1c4a973eb7ba4f6265daf52a88212a508cb4d39f73bf6c6342a5a758217d999d308493cc0e4b9e5180def5c3d76d3443a6c8

          Download Submit

        • \Users\Admin\buuvoar.exe
          Filesize

          376KB

          MD5

          be1dcf3f18178b9b9541a766c6c1e4a3

          SHA1

          48b1bff6ae02867754eba2b1d969f7b85bd384f4

          SHA256

          88d427d587e5f51b40f7b3802a813c484e82b6639774d569dc29d6da1ecfb050

          SHA512

          a4bcb13318e525aa0505e44f740e1c4a973eb7ba4f6265daf52a88212a508cb4d39f73bf6c6342a5a758217d999d308493cc0e4b9e5180def5c3d76d3443a6c8

          Download Submit

        • memory/1980-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

          Filesize

          8KB

          Download