Overview

overview

10

Static

static

581b5ea719...14.exe

windows7-x64

10

581b5ea719...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 20:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    581b5ea719db1ca1f1e70e15590e3632799fc70dc7ab09f9950ca918f5904f14.exe

  • Size

    232KB

  • MD5

    78c7c54962813d2fce8c41efaf874ac0

  • SHA1

    91ac13d2b696955b30d7be67592922253120a971

  • SHA256

    581b5ea719db1ca1f1e70e15590e3632799fc70dc7ab09f9950ca918f5904f14

  • SHA512

    c06efb5e830f8975262c7dbc88da6207a84ea3a2b1c309dc31e2cb2ed0a3815e42339f792f889429c2068b32432808974e1d708a8e97ad956075cf8943ee3fd2

  • SSDEEP

    6144:9J3PFKs78g2KyEOaWEqxF6snji81RUinKdNOA6:DPh+mFE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\581b5ea719db1ca1f1e70e15590e3632799fc70dc7ab09f9950ca918f5904f14.exe
    "C:\Users\Admin\AppData\Local\Temp\581b5ea719db1ca1f1e70e15590e3632799fc70dc7ab09f9950ca918f5904f14.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\cdvav.exe
      "C:\Users\Admin\cdvav.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3056

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\cdvav.exe
          Filesize

          232KB

          MD5

          00ebc9491bb9e42c0e667ccd4f8e8f2c

          SHA1

          67256894792af41c352cb7cd1b11e00b8b31b474

          SHA256

          ef200016f3ff50d0a41d1a36973bead30f1d70f96ecc5ee8e11e758579cbb67c

          SHA512

          0be5bca476903f1729285f4664e539ff8eae4fec5b2cb421407c2e06c875717f45ced16defd835a4078351ff55cc4fe1b429474febd61153e9b73d91334850d1

          Download Submit

        • C:\Users\Admin\cdvav.exe
          Filesize

          232KB

          MD5

          00ebc9491bb9e42c0e667ccd4f8e8f2c

          SHA1

          67256894792af41c352cb7cd1b11e00b8b31b474

          SHA256

          ef200016f3ff50d0a41d1a36973bead30f1d70f96ecc5ee8e11e758579cbb67c

          SHA512

          0be5bca476903f1729285f4664e539ff8eae4fec5b2cb421407c2e06c875717f45ced16defd835a4078351ff55cc4fe1b429474febd61153e9b73d91334850d1

          Download Submit