Overview

overview

10

Static

static

870a0ffa27...ce.exe

windows7-x64

10

870a0ffa27...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    870a0ffa27ac477069085a11d2a92f738021fef4541a9ac2355a36e43a3f9fce.exe

  • Size

    236KB

  • MD5

    68a7dfb2d90d5fc1766abacd3035b2a0

  • SHA1

    fb0ada1f7a2a68fb4378c770b77ee75f4f203a18

  • SHA256

    870a0ffa27ac477069085a11d2a92f738021fef4541a9ac2355a36e43a3f9fce

  • SHA512

    4005820031d2c9254dbcf0c69c8e839647bbcec8c027247e5fd6837620f8231318793ec5b9ce700143645e04e396f9ae42a90bcd15261fa4125df8eb4dd967a4

  • SSDEEP

    3072:rdNh0TwKzzGKXW28oYLVp0uP5cPLa6KMWM+x2rfdnpcJMyaegtmNbW6grc:rtpmzGXoYZpDPCPLa64fmdK+dtEx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\870a0ffa27ac477069085a11d2a92f738021fef4541a9ac2355a36e43a3f9fce.exe
    "C:\Users\Admin\AppData\Local\Temp\870a0ffa27ac477069085a11d2a92f738021fef4541a9ac2355a36e43a3f9fce.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\qnzez.exe
      "C:\Users\Admin\qnzez.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qnzez.exe
    Filesize

    236KB

    MD5

    ff0e20ebd594214dabe7412e4ecce5cc

    SHA1

    6ab1194ec6aa92efc36cce16a78b2f3873fc43d3

    SHA256

    de06273c2d0eeb40e26dfa9853c4384dbb0b0794e0032efd906d323f1d3d69c3

    SHA512

    ebfc5fad2ab5cabc70a0f91ede38c7d857dad6db6aae2553b92f21b3a36441d250821a32cfcdde1f453650ed4ab8b83c751ded055f7050dbce49b0c0fa3f8331

    Download Submit

  • C:\Users\Admin\qnzez.exe
    Filesize

    236KB

    MD5

    ff0e20ebd594214dabe7412e4ecce5cc

    SHA1

    6ab1194ec6aa92efc36cce16a78b2f3873fc43d3

    SHA256

    de06273c2d0eeb40e26dfa9853c4384dbb0b0794e0032efd906d323f1d3d69c3

    SHA512

    ebfc5fad2ab5cabc70a0f91ede38c7d857dad6db6aae2553b92f21b3a36441d250821a32cfcdde1f453650ed4ab8b83c751ded055f7050dbce49b0c0fa3f8331

    Download Submit