Analysis

  • max time kernel
    190s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 22:02

General

  • Target

    7b5477aedf8ca5f11cf0db66fcc580cdd253ff38ec103f4dac6a6a917d42fa16.exe

  • Size

    312KB

  • MD5

    46e30c8e93a936140c3c543aba3f9e71

  • SHA1

    813ab8fa8ea3d9a9669bb318a6fd87534c175d4f

  • SHA256

    7b5477aedf8ca5f11cf0db66fcc580cdd253ff38ec103f4dac6a6a917d42fa16

  • SHA512

    c27e99b4dbaf6110ecf4edf068561e3702b943d90a994e67326a9f1c7fbdd533d883e1091926f2b97203c907b9c62c9129bf73fdf5f3eef41369e43179f52cb2

  • SSDEEP

    6144:4Abc0f7XP+g3AGJpWVzugs7PRHeEgRK/fObT/bGiJKv6R7MkZ4lUr8W9HuOGKqvs:zw27/XvLWpu/eEgRK/fObT/bGiJlMkZ9

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5477aedf8ca5f11cf0db66fcc580cdd253ff38ec103f4dac6a6a917d42fa16.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5477aedf8ca5f11cf0db66fcc580cdd253ff38ec103f4dac6a6a917d42fa16.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\muurao.exe
      "C:\Users\Admin\muurao.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\muurao.exe

    Filesize

    312KB

    MD5

    c8e8e605e57271f4117308adb8ef9323

    SHA1

    1591ecf04b8f0f1a67545e5c03c0bdd5caf99204

    SHA256

    80eed06029c167e2a6e3471203d148aafd03a615ca6fd07066fa8c04077e8036

    SHA512

    7da853d8dcb28542a1aafec9886d3260ed3d61a9fa53754a4d60c0cd0806e8905fe233d53df56f2da5a7fa9e2063c0df3ccec27078117944c7d9ca312f5f661d

  • C:\Users\Admin\muurao.exe

    Filesize

    312KB

    MD5

    c8e8e605e57271f4117308adb8ef9323

    SHA1

    1591ecf04b8f0f1a67545e5c03c0bdd5caf99204

    SHA256

    80eed06029c167e2a6e3471203d148aafd03a615ca6fd07066fa8c04077e8036

    SHA512

    7da853d8dcb28542a1aafec9886d3260ed3d61a9fa53754a4d60c0cd0806e8905fe233d53df56f2da5a7fa9e2063c0df3ccec27078117944c7d9ca312f5f661d

  • memory/1288-133-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1288-142-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3680-141-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/3680-143-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB