Overview

overview

10

Static

static

f019e25098...f4.exe

windows7-x64

10

f019e25098...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f019e250983ab9366e73322fcd2735aa234d388f9e3923b7fe3b5709c7c9f2f4.exe

  • Size

    288KB

  • MD5

    68e08bfd1704d0bc4ff8ff85953f5a40

  • SHA1

    195cac3111a1c6a2e99305f72381ba17c8d1ff69

  • SHA256

    f019e250983ab9366e73322fcd2735aa234d388f9e3923b7fe3b5709c7c9f2f4

  • SHA512

    3077ef4e114f9934b16185c9110cf3aab68364e74dcb081775052efbd371d10c22ec4ee59d15a4b8bc96eadadac2bd29f49be6e9d9c6c2a0ab472a43f8857583

  • SSDEEP

    6144:NUigIAN+tytpx96Hg02BCh3FZuhbYaxUG2nIVeUutl:NUigIfyDxsHg02BCh3FZuhbYaxUG2npN

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f019e250983ab9366e73322fcd2735aa234d388f9e3923b7fe3b5709c7c9f2f4.exe
    "C:\Users\Admin\AppData\Local\Temp\f019e250983ab9366e73322fcd2735aa234d388f9e3923b7fe3b5709c7c9f2f4.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\viuuliw.exe
      "C:\Users\Admin\viuuliw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\viuuliw.exe
    Filesize

    288KB

    MD5

    5b8898d5a0576813f37d4f054d016410

    SHA1

    184582fc9dd396fc9c8810a1c591ffb4206c8ddb

    SHA256

    2a36a6c931b05b99be2249c6df6e1f7a155244079d9aaa26b24675a05357abbf

    SHA512

    f72a44b7025c5c93f913a92966e797da60530e1cf95618f9e4bb21496a8796bdf5b2c2607442f899521bf5ac28bea88d4ed23fc71f423a61c68b5ed9b2d8d15d

    Download Submit

  • C:\Users\Admin\viuuliw.exe
    Filesize

    288KB

    MD5

    5b8898d5a0576813f37d4f054d016410

    SHA1

    184582fc9dd396fc9c8810a1c591ffb4206c8ddb

    SHA256

    2a36a6c931b05b99be2249c6df6e1f7a155244079d9aaa26b24675a05357abbf

    SHA512

    f72a44b7025c5c93f913a92966e797da60530e1cf95618f9e4bb21496a8796bdf5b2c2607442f899521bf5ac28bea88d4ed23fc71f423a61c68b5ed9b2d8d15d

    Download Submit

  • memory/4748-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4748-140-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4748-142-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4868-132-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4868-141-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download