Analysis

  • max time kernel
    156s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 09:33

General

  • Target

    72ccd0cdc33f2be6ed973173fbb3037bb87d69282a54596035c1ed4cd81805ed.exe

  • Size

    232KB

  • MD5

    27a2cf0c00fda3856479dcd98c604f80

  • SHA1

    798ca709b5f494a886aa1a44483d62ac5ebde3b2

  • SHA256

    72ccd0cdc33f2be6ed973173fbb3037bb87d69282a54596035c1ed4cd81805ed

  • SHA512

    4be18207020ec98dc8c91783c818316088dc3203f5013f05b81e3d289fe0515d89845caa56445f53b7463fbb270266a5495e79cffd822ce844f02eae3a0ca6ac

  • SSDEEP

    1536:GjzUcGGomoDo0omoEo4A5AVzotokoXoOoioVo2oEogoFoPoeoWooo7oxozoZoMov:MUcGJA5AVap/Q

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72ccd0cdc33f2be6ed973173fbb3037bb87d69282a54596035c1ed4cd81805ed.exe
    "C:\Users\Admin\AppData\Local\Temp\72ccd0cdc33f2be6ed973173fbb3037bb87d69282a54596035c1ed4cd81805ed.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\muaheug.exe
      "C:\Users\Admin\muaheug.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\muaheug.exe

    Filesize

    232KB

    MD5

    02be5cf20dbff921d61cfe763e12f01b

    SHA1

    9083ac42c1c9e89709de6af351d49c3ec481ac49

    SHA256

    eb0090e929212eebec93e0799e8ef72a2b1b4ddbbda5bc95e643d15f26dd6a4b

    SHA512

    af5002bcba6684c218820fba52d79354bc88341114eb34f2040dd9c3940a85020a4dfdf47af72134b61c33818fcb3ba5aa608f43db490fdf2eed528a91ee0d6e

  • C:\Users\Admin\muaheug.exe

    Filesize

    232KB

    MD5

    02be5cf20dbff921d61cfe763e12f01b

    SHA1

    9083ac42c1c9e89709de6af351d49c3ec481ac49

    SHA256

    eb0090e929212eebec93e0799e8ef72a2b1b4ddbbda5bc95e643d15f26dd6a4b

    SHA512

    af5002bcba6684c218820fba52d79354bc88341114eb34f2040dd9c3940a85020a4dfdf47af72134b61c33818fcb3ba5aa608f43db490fdf2eed528a91ee0d6e