Overview

overview

10

Static

static

24a938807f...1d.exe

windows7-x64

10

24a938807f...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 02:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    24a938807fa7e029717721546f7b431a7b18795ecdaf7083ecfe69eae9da911d.exe

  • Size

    108KB

  • MD5

    6569e05f21c8e94baa11e15a91f0431b

  • SHA1

    9747cd046502088f717a2d4707d6f881c86726f7

  • SHA256

    24a938807fa7e029717721546f7b431a7b18795ecdaf7083ecfe69eae9da911d

  • SHA512

    717a8c06315bf3970373486bcdc881b710de2bdace3b96dfc9e683930f98d1b7e48bc1e19042fedf869e172b671c191e7cdfbb7f0c6b62f88158d14820a3bf19

  • SSDEEP

    1536:wbRI6z51KiB6oQ7Lh5+sXmNt0ttlPXLq0zTrk3:2X1moIeZt8XTzTo3

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24a938807fa7e029717721546f7b431a7b18795ecdaf7083ecfe69eae9da911d.exe
    "C:\Users\Admin\AppData\Local\Temp\24a938807fa7e029717721546f7b431a7b18795ecdaf7083ecfe69eae9da911d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Users\Admin\qeugan.exe
      "C:\Users\Admin\qeugan.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1972

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\qeugan.exe
          Filesize

          108KB

          MD5

          99c0cce6699f76a7038dc8bb4bcfdd1b

          SHA1

          e792c3187e911c535936c9f4177a4cac4784eceb

          SHA256

          b7477be5d6c1c0714bb46d0607e30cd852af61ca2cf8214064c32fc927754091

          SHA512

          f18abd9af96003dfe6d589ea66e131dd463c3b560b4ae1a9901d36b75e047087acbe776e660bba09f37cb0b15bc8bb772d30da9934dadb49bdd87e529086dc76

          Download Submit

        • C:\Users\Admin\qeugan.exe
          Filesize

          108KB

          MD5

          99c0cce6699f76a7038dc8bb4bcfdd1b

          SHA1

          e792c3187e911c535936c9f4177a4cac4784eceb

          SHA256

          b7477be5d6c1c0714bb46d0607e30cd852af61ca2cf8214064c32fc927754091

          SHA512

          f18abd9af96003dfe6d589ea66e131dd463c3b560b4ae1a9901d36b75e047087acbe776e660bba09f37cb0b15bc8bb772d30da9934dadb49bdd87e529086dc76

          Download Submit