Overview

overview

10

Static

static

22c88f0cb0...0c.exe

windows7-x64

10

22c88f0cb0...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe

  • Size

    260KB

  • MD5

    5265a2969de0efcb966a9fe3b7afc40f

  • SHA1

    245f1f8bb99b6d968c7409807b42836020c76fd1

  • SHA256

    22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c

  • SHA512

    f72c3640036b2564a7eca34f7e6cd905bba18c81303aca9f66ca43e1a59188e5223186437d72539d78e42af2ed7aeff9c0fdab292b121cd9fbce01f53cb3369b

  • SSDEEP

    3072:UsgUrTiooHiUS41IGymUU5fkUehyB456J2Lw6BoiEx4PvsL2o5I33ygo:fzToHiUBiGyuT236J2deiEx4PvRo5OF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe
    "C:\Users\Admin\AppData\Local\Temp\22c88f0cb0dd490da3f02b3649390f7bb201c1ff1a22fb495d3a636700c64b0c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\caezej.exe
      "C:\Users\Admin\caezej.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\caezej.exe
    Filesize

    260KB

    MD5

    b1ddfa697472c20f5b308fc08b8fdd73

    SHA1

    8b8924e08aad5944d942988b36b77185cb242975

    SHA256

    911e47bb81c0c7eeda17ab389f99b4fed875788f51140dc7ca0ad6de086088d3

    SHA512

    028afd50483879ddb0ad4952496f140d9a4d11c3bb06dcf46f2acd5b4a380955f05dbca667c811f4f9fad01f3e56be3f44212a3ee16a4d1cf5d4bf7d04c1fab7

    Download Submit

  • C:\Users\Admin\caezej.exe
    Filesize

    260KB

    MD5

    b1ddfa697472c20f5b308fc08b8fdd73

    SHA1

    8b8924e08aad5944d942988b36b77185cb242975

    SHA256

    911e47bb81c0c7eeda17ab389f99b4fed875788f51140dc7ca0ad6de086088d3

    SHA512

    028afd50483879ddb0ad4952496f140d9a4d11c3bb06dcf46f2acd5b4a380955f05dbca667c811f4f9fad01f3e56be3f44212a3ee16a4d1cf5d4bf7d04c1fab7

    Download Submit