Overview

overview

10

Static

static

cd96afb91e...9e.exe

windows7-x64

10

cd96afb91e...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd96afb91e885b5d0fb348303fe9f87aca2d113f1997f256c21e04ebef199c9e.exe

  • Size

    192KB

  • MD5

    685e3ca0fe081629b6646f29dd41671c

  • SHA1

    53ae40182619cc77b1a957024f6ddb330e7a8e9e

  • SHA256

    cd96afb91e885b5d0fb348303fe9f87aca2d113f1997f256c21e04ebef199c9e

  • SHA512

    2d9b17263dc4af743937297ee2ae7e844f355496df2f55e27b9cc3efb5b4b0a042dd6a0e78a8bb7f26d400605dcf64999c954abba8d097fea7a77608ce3ccf52

  • SSDEEP

    1536:hrHABQruHlTtPRi4iti93MH9iV6MRfWzzp3BHReQbIYL2XoPLJB514R9/dJqi/7:12QraTRRi4itiSHXzp3uYTPLJOhD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd96afb91e885b5d0fb348303fe9f87aca2d113f1997f256c21e04ebef199c9e.exe
    "C:\Users\Admin\AppData\Local\Temp\cd96afb91e885b5d0fb348303fe9f87aca2d113f1997f256c21e04ebef199c9e.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\roenian.exe
      "C:\Users\Admin\roenian.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\roenian.exe
    Filesize

    192KB

    MD5

    0206316bf33a2078915b5cb75b5b4214

    SHA1

    5ce8a02639b9f6d81d1b9d7dcf6ea2bf34106848

    SHA256

    97ffd865f6548f3771c9a6a07e7012f629c9692d4bd47c21ceaf79d1336c1936

    SHA512

    cff2f530be4037f2d6667f02827d81d54a5a40c9d92873bc902fb7478642a473b90f8af55b7f2136e706543ce2c7686dfb089f7694d279aec24b3c5493e971cf

    Download Submit

  • C:\Users\Admin\roenian.exe
    Filesize

    192KB

    MD5

    0206316bf33a2078915b5cb75b5b4214

    SHA1

    5ce8a02639b9f6d81d1b9d7dcf6ea2bf34106848

    SHA256

    97ffd865f6548f3771c9a6a07e7012f629c9692d4bd47c21ceaf79d1336c1936

    SHA512

    cff2f530be4037f2d6667f02827d81d54a5a40c9d92873bc902fb7478642a473b90f8af55b7f2136e706543ce2c7686dfb089f7694d279aec24b3c5493e971cf

    Download Submit

  • \Users\Admin\roenian.exe
    Filesize

    192KB

    MD5

    0206316bf33a2078915b5cb75b5b4214

    SHA1

    5ce8a02639b9f6d81d1b9d7dcf6ea2bf34106848

    SHA256

    97ffd865f6548f3771c9a6a07e7012f629c9692d4bd47c21ceaf79d1336c1936

    SHA512

    cff2f530be4037f2d6667f02827d81d54a5a40c9d92873bc902fb7478642a473b90f8af55b7f2136e706543ce2c7686dfb089f7694d279aec24b3c5493e971cf

    Download Submit

  • \Users\Admin\roenian.exe
    Filesize

    192KB

    MD5

    0206316bf33a2078915b5cb75b5b4214

    SHA1

    5ce8a02639b9f6d81d1b9d7dcf6ea2bf34106848

    SHA256

    97ffd865f6548f3771c9a6a07e7012f629c9692d4bd47c21ceaf79d1336c1936

    SHA512

    cff2f530be4037f2d6667f02827d81d54a5a40c9d92873bc902fb7478642a473b90f8af55b7f2136e706543ce2c7686dfb089f7694d279aec24b3c5493e971cf

    Download Submit

  • memory/1036-56-0x00000000753C1000-0x00000000753C3000-memory.dmp

    Filesize

    8KB

    Download