Overview

overview

10

Static

static

591101842e...f2.exe

windows7-x64

10

591101842e...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    591101842e9faed8384a27c3596974763c78604bcc54e847d444aaa7dfbdccf2.exe

  • Size

    140KB

  • MD5

    6a1295f7431ae4fd2aec4ecef5b3951d

  • SHA1

    19849b71026e3292170fd3dc853ebe89fdf0cf73

  • SHA256

    591101842e9faed8384a27c3596974763c78604bcc54e847d444aaa7dfbdccf2

  • SHA512

    bfd74c0e1e5eb0853722010a6b2cfcfbf1b23b622914ea2bd4b3d394e08b38c3e7922676acd776b26dd563d991578cda2ba8ebfb1311339427c1b9839a49edf0

  • SSDEEP

    1536:T+6Qe6VtKEeYAcANSU+MNG5ipzqNbCa34YaI77UsMJn1ogCnzqLcTJLO01DvqKWt:XZeKBYnAz4R77UsMJn1o9fG+O7

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\591101842e9faed8384a27c3596974763c78604bcc54e847d444aaa7dfbdccf2.exe
    "C:\Users\Admin\AppData\Local\Temp\591101842e9faed8384a27c3596974763c78604bcc54e847d444aaa7dfbdccf2.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Users\Admin\vqzoej.exe
      "C:\Users\Admin\vqzoej.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vqzoej.exe
    Filesize

    140KB

    MD5

    6a2a413443620b51bbe18ae6a3d2f29b

    SHA1

    c93d4ba6218b770281261d5e1ae7f898cc666450

    SHA256

    917309d1f206240a65ae0396456e5bbf183dd11d8f8269d3414a6172e49ff825

    SHA512

    ae2469c32ada3f09c528bd7938636ef009d43e9bafc177883281422f34a0b99e1cc67dc31b6ddd851f0d3f65d4140f2c9d0650b2df82cb6b6ffc612e52f94538

    Download Submit

  • C:\Users\Admin\vqzoej.exe
    Filesize

    140KB

    MD5

    6a2a413443620b51bbe18ae6a3d2f29b

    SHA1

    c93d4ba6218b770281261d5e1ae7f898cc666450

    SHA256

    917309d1f206240a65ae0396456e5bbf183dd11d8f8269d3414a6172e49ff825

    SHA512

    ae2469c32ada3f09c528bd7938636ef009d43e9bafc177883281422f34a0b99e1cc67dc31b6ddd851f0d3f65d4140f2c9d0650b2df82cb6b6ffc612e52f94538

    Download Submit