Overview

overview

10

Static

static

e7557239dd...03.exe

windows7-x64

10

e7557239dd...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7557239ddd4436003ee19fe952359635a7c3b04c2fcd3c8f32400087b13d303.exe

  • Size

    156KB

  • MD5

    092270ec3dfe0f9cd718dc365af19978

  • SHA1

    186a227311b64aa0343e0774db39f4172ace5ac5

  • SHA256

    e7557239ddd4436003ee19fe952359635a7c3b04c2fcd3c8f32400087b13d303

  • SHA512

    9a0b821e1df8cb10c1c703463464efce4df0b6d94b1f439291a121d8e3d421a8ca61fb0c881f650a105acfc79fb606b54b3fa5b0a96496af4265c2e1bdf59b11

  • SSDEEP

    3072:sK3gJdiYt+Vvu/5gEsSy8dH0pLaATo4oi6YX4oQZiEjbb:HKqvuTD0pLa2o4uY5WF3

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7557239ddd4436003ee19fe952359635a7c3b04c2fcd3c8f32400087b13d303.exe
    "C:\Users\Admin\AppData\Local\Temp\e7557239ddd4436003ee19fe952359635a7c3b04c2fcd3c8f32400087b13d303.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\buitu.exe
      "C:\Users\Admin\buitu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\buitu.exe
    Filesize

    156KB

    MD5

    b1b4c2e8c3e3e473c6951b12adba5486

    SHA1

    54e4771b535cb3bcc8862221a4592233d79c6580

    SHA256

    7d03475d14cd9019201c0f976136bbcba95a9daab50cd61bea944ada0f3d8403

    SHA512

    e106fd46fb2884480726347e15f39b55603988642b0eaa7e96f66a7e0d6a7c21c054b6297f1c63bed4bc7e3320c1d03bf5d8e908f19e2439831e6eaf8d241e56

    Download Submit

  • C:\Users\Admin\buitu.exe
    Filesize

    156KB

    MD5

    b1b4c2e8c3e3e473c6951b12adba5486

    SHA1

    54e4771b535cb3bcc8862221a4592233d79c6580

    SHA256

    7d03475d14cd9019201c0f976136bbcba95a9daab50cd61bea944ada0f3d8403

    SHA512

    e106fd46fb2884480726347e15f39b55603988642b0eaa7e96f66a7e0d6a7c21c054b6297f1c63bed4bc7e3320c1d03bf5d8e908f19e2439831e6eaf8d241e56

    Download Submit