Overview

overview

10

Static

static

94aa23c838...d0.exe

windows7-x64

10

94aa23c838...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94aa23c83896788b48ac2e5133dedad0371ecabbc9c73816893d310847d27ad0.exe

  • Size

    120KB

  • MD5

    5c728c7a8697eac184cc334c48d68260

  • SHA1

    12d9cbd7b7fc8e21de3cdb47d230904f521cd715

  • SHA256

    94aa23c83896788b48ac2e5133dedad0371ecabbc9c73816893d310847d27ad0

  • SHA512

    5ad2de97b57160378fec17be00deb1c98e94eb63232dd2730d6cd6c92a6fdd5e2c4593d5afb7860d10650f18bf11a91f8e2000bafb009810cb119fd38e72da7c

  • SSDEEP

    3072:taFXyjOfXcOQrXXU6CMvAD3jM8LozPOKr:YXQrnfCMvy3jM8LozL

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94aa23c83896788b48ac2e5133dedad0371ecabbc9c73816893d310847d27ad0.exe
    "C:\Users\Admin\AppData\Local\Temp\94aa23c83896788b48ac2e5133dedad0371ecabbc9c73816893d310847d27ad0.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Users\Admin\nueceuj.exe
      "C:\Users\Admin\nueceuj.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\nueceuj.exe
    Filesize

    120KB

    MD5

    f37fd9771851d084f13f69b8cd695a1e

    SHA1

    ab90b9506836a94261756dc956bc371b07540b68

    SHA256

    ffc0edb3a27ffa5450b795fc2dee002cde66d2f6007ef7e0d7cebcc54539c886

    SHA512

    599984e74dbc2156d5507e4b07858a0b955d23e8756719cf348f467b034a9ac87f4f1f26c677c49a9ed80c3d2ac5e8edeebe69ea807be4fb88e8912c09407678

    Download Submit

  • C:\Users\Admin\nueceuj.exe
    Filesize

    120KB

    MD5

    f37fd9771851d084f13f69b8cd695a1e

    SHA1

    ab90b9506836a94261756dc956bc371b07540b68

    SHA256

    ffc0edb3a27ffa5450b795fc2dee002cde66d2f6007ef7e0d7cebcc54539c886

    SHA512

    599984e74dbc2156d5507e4b07858a0b955d23e8756719cf348f467b034a9ac87f4f1f26c677c49a9ed80c3d2ac5e8edeebe69ea807be4fb88e8912c09407678

    Download Submit