Overview

overview

10

Static

static

7c738b5564...aa.exe

windows7-x64

10

7c738b5564...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c738b55640b065a33a7e4dd251eaaa2218ad88585e8ab9820c6b822f5ddcfaa.exe

  • Size

    60KB

  • MD5

    559a9fa12abf31d0a3882ada3b3e914c

  • SHA1

    58fa144adab194de0f7a644299a98f1cd8693a08

  • SHA256

    7c738b55640b065a33a7e4dd251eaaa2218ad88585e8ab9820c6b822f5ddcfaa

  • SHA512

    4b8ac14a52cdd4eb944f972f62f4d0beda80dfe1ff1f53133f87bb13955ca7563b0c82f1cd9ac4e7b947ac37de75e98c62cc1f42dac1d60c529571e2a2e88fe4

  • SSDEEP

    1536:VZIThxeVnBvmiINMK9VmZxrUOjD5MJ3hg:shmS45D5M

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c738b55640b065a33a7e4dd251eaaa2218ad88585e8ab9820c6b822f5ddcfaa.exe
    "C:\Users\Admin\AppData\Local\Temp\7c738b55640b065a33a7e4dd251eaaa2218ad88585e8ab9820c6b822f5ddcfaa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\ftqueh.exe
      "C:\Users\Admin\ftqueh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ftqueh.exe
    Filesize

    60KB

    MD5

    1b9da17707f79ebcd18853991e42a405

    SHA1

    b746bf0c9766b8bf0f55d34a764095ce4debe9b0

    SHA256

    f734685b2dd97a595ff8a322f1e3ff2209e677eddbc26e6a723d9fc40e81d7cb

    SHA512

    6a656551b58f0fc306cf476ca9138f628719e32647a796115c09fcc252444389543fb3be5056292231eb9db75ee8e5f47c057dd1761b90059e91250f1925aa7e

    Download Submit

  • C:\Users\Admin\ftqueh.exe
    Filesize

    60KB

    MD5

    1b9da17707f79ebcd18853991e42a405

    SHA1

    b746bf0c9766b8bf0f55d34a764095ce4debe9b0

    SHA256

    f734685b2dd97a595ff8a322f1e3ff2209e677eddbc26e6a723d9fc40e81d7cb

    SHA512

    6a656551b58f0fc306cf476ca9138f628719e32647a796115c09fcc252444389543fb3be5056292231eb9db75ee8e5f47c057dd1761b90059e91250f1925aa7e

    Download Submit

  • memory/2032-134-0x0000000000000000-mapping.dmp

    Download