Overview

overview

10

Static

static

61249cf05c...c5.exe

windows7-x64

10

61249cf05c...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 20:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    61249cf05cc01e0b3a277950c37b7df7b9ee18407a0f43adbb2e651f53d7f7c5.exe

  • Size

    180KB

  • MD5

    6846efde0df4799903f7c726f653c680

  • SHA1

    ca347c618b70eb0c95e28bd844b9b802f91c78de

  • SHA256

    61249cf05cc01e0b3a277950c37b7df7b9ee18407a0f43adbb2e651f53d7f7c5

  • SHA512

    45bd131b6b63397adda735948b3e60901f192b1be2a166293c4f21576bedbd3c9b5e132326440028591802f9faf45e194aa989ecb3ec79957fa0b00646c685e7

  • SSDEEP

    3072:JyfdVAXY71idPAaWELGzMshNXTDFE+7jF6XTjaJ:JyfzAY+oXqFshNTDT756XTI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61249cf05cc01e0b3a277950c37b7df7b9ee18407a0f43adbb2e651f53d7f7c5.exe
    "C:\Users\Admin\AppData\Local\Temp\61249cf05cc01e0b3a277950c37b7df7b9ee18407a0f43adbb2e651f53d7f7c5.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\hqwew.exe
      "C:\Users\Admin\hqwew.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:384

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\hqwew.exe
          Filesize

          180KB

          MD5

          b6bee394c7d73383469dd87a0203276d

          SHA1

          0f44994c2f4805a563a3464c4b499c589e0b2ab6

          SHA256

          86471f0d903fc43f602e1bada818c9791d468fe4f99cdfb0d886470e7f80f755

          SHA512

          dd5c509a39866a4774f025bc0894b9ea3ace4e98234b9c1f3f2920833eca6c77dd80d62fdad51c8dc5e311cb6cef642ae50d4dfed56b06b3cd9ff12cb62c95c7

          Download Submit

        • C:\Users\Admin\hqwew.exe
          Filesize

          180KB

          MD5

          b6bee394c7d73383469dd87a0203276d

          SHA1

          0f44994c2f4805a563a3464c4b499c589e0b2ab6

          SHA256

          86471f0d903fc43f602e1bada818c9791d468fe4f99cdfb0d886470e7f80f755

          SHA512

          dd5c509a39866a4774f025bc0894b9ea3ace4e98234b9c1f3f2920833eca6c77dd80d62fdad51c8dc5e311cb6cef642ae50d4dfed56b06b3cd9ff12cb62c95c7

          Download Submit