Overview

overview

10

Static

static

22c88f0cb0...0c.exe

windows7-x64

10

22c88f0cb0...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 04:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe

  • Size

    260KB

  • MD5

    5265a2969de0efcb966a9fe3b7afc40f

  • SHA1

    245f1f8bb99b6d968c7409807b42836020c76fd1

  • SHA256

    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c

  • SHA512

    f72c3640036b2564a7eca34f7e6cd905bba18c81303aca9f66ca43e1a59188e5223186437d72539d78e42af2ed7aeff9c0fdab292b121cd9fbce01f53cb3369b

  • SSDEEP

    3072:UsgUrTiooHiUS41IGymUU5fkUehyB456J2Lw6BoiEx4PvsL2o5I33ygo:fzToHiUBiGyuT236J2deiEx4PvRo5OF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    "C:\Users\Admin\AppData\Local\Temp\22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\tioneu.exe
      "C:\Users\Admin\tioneu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1884

Network

  • flag-us
    DNS
    ns1.player1352.com
    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.com
    IN A
    Response
  • flag-us
    DNS
    ns1.player1352.net
    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    35.205.61.67
  • 35.205.61.67:8000
    ns1.player1352.net
    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    152 B
     3
  • 8.8.8.8:53
    ns1.player1352.com
    dns
    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    64 B
     137 B
     1
    1

    DNS Request

    ns1.player1352.com

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    64 B
     80 B
     1
    1

    DNS Request

    ns1.player1352.net

    DNS Response

    35.205.61.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tioneu.exe
    Filesize

    260KB

    MD5

    0e38d159932298fae31a908494e1ebe3

    SHA1

    38275e81ef95f98c8acc36de5e486ce22e9a2141

    SHA256

    3f0bccf6564924c267140bd28638b637e19c73a719d681777ddf04df70f039b8

    SHA512

    3b80af88c4ee81d058edc63c981994c92ab688b9af0ffb03cc7b24fb5ce7c4ba23a3f9b3681f318af43d199441f33f44b5c8c0a7f568422c92f98e9d9c691a57

    Download Submit

  • C:\Users\Admin\tioneu.exe
    Filesize

    260KB

    MD5

    0e38d159932298fae31a908494e1ebe3

    SHA1

    38275e81ef95f98c8acc36de5e486ce22e9a2141

    SHA256

    3f0bccf6564924c267140bd28638b637e19c73a719d681777ddf04df70f039b8

    SHA512

    3b80af88c4ee81d058edc63c981994c92ab688b9af0ffb03cc7b24fb5ce7c4ba23a3f9b3681f318af43d199441f33f44b5c8c0a7f568422c92f98e9d9c691a57

    Download Submit

  • \Users\Admin\tioneu.exe
    Filesize

    260KB

    MD5

    0e38d159932298fae31a908494e1ebe3

    SHA1

    38275e81ef95f98c8acc36de5e486ce22e9a2141

    SHA256

    3f0bccf6564924c267140bd28638b637e19c73a719d681777ddf04df70f039b8

    SHA512

    3b80af88c4ee81d058edc63c981994c92ab688b9af0ffb03cc7b24fb5ce7c4ba23a3f9b3681f318af43d199441f33f44b5c8c0a7f568422c92f98e9d9c691a57

    Download Submit

  • \Users\Admin\tioneu.exe
    Filesize

    260KB

    MD5

    0e38d159932298fae31a908494e1ebe3

    SHA1

    38275e81ef95f98c8acc36de5e486ce22e9a2141

    SHA256

    3f0bccf6564924c267140bd28638b637e19c73a719d681777ddf04df70f039b8

    SHA512

    3b80af88c4ee81d058edc63c981994c92ab688b9af0ffb03cc7b24fb5ce7c4ba23a3f9b3681f318af43d199441f33f44b5c8c0a7f568422c92f98e9d9c691a57

    Download Submit

  • memory/1976-56-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.