Overview

overview

10

Static

static

3b27ea9271...fe.exe

windows7-x64

10

3b27ea9271...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2022, 14:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3b27ea92710f6d6878e8f89c104b302bc7d9375358070fe3c395837d0bcc6ffe.exe

  • Size

    192KB

  • MD5

    774dc306af3514c331414659f287c450

  • SHA1

    191de70c62cb05ce7d4d0d6f08452c738220d533

  • SHA256

    3b27ea92710f6d6878e8f89c104b302bc7d9375358070fe3c395837d0bcc6ffe

  • SHA512

    669a8f99f88624e121e918e00a72aadde1a0f71dde4e8613a3d3570773c8c273b8eaff65f5f40613b2661d36ffc42d639593093ea211f45333b88e0f734f6b0c

  • SSDEEP

    3072:wu8+lE5yDnOBrpM3lt0bqO4deKIpS2Q9tC3UwtxaTSGzGXDzp8D8OJbhaDDe3ofE:tDnOBr63cbqO40K394aTSGzGZ8ognYM

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b27ea92710f6d6878e8f89c104b302bc7d9375358070fe3c395837d0bcc6ffe.exe
    "C:\Users\Admin\AppData\Local\Temp\3b27ea92710f6d6878e8f89c104b302bc7d9375358070fe3c395837d0bcc6ffe.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\jvjaop.exe
      "C:\Users\Admin\jvjaop.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1748

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\jvjaop.exe
          Filesize

          192KB

          MD5

          4d417cd2ca7c7c9029d7f97fdf7a9389

          SHA1

          9fd63b597e880a024d3196fea975121c1e5df6a7

          SHA256

          ab1ec7d613859820b53c5afe30d22dd21cc919e611a519d84083788730628a6b

          SHA512

          7b27d1293e0826990074ef3012681ed2dbc6b2c232e7941f7cd6a8f8b23aaf795daf4e3f71d94b728fc8600c28aaf47e9397f8866d86c2994564a2d394889075

          Download Submit

        • C:\Users\Admin\jvjaop.exe
          Filesize

          192KB

          MD5

          4d417cd2ca7c7c9029d7f97fdf7a9389

          SHA1

          9fd63b597e880a024d3196fea975121c1e5df6a7

          SHA256

          ab1ec7d613859820b53c5afe30d22dd21cc919e611a519d84083788730628a6b

          SHA512

          7b27d1293e0826990074ef3012681ed2dbc6b2c232e7941f7cd6a8f8b23aaf795daf4e3f71d94b728fc8600c28aaf47e9397f8866d86c2994564a2d394889075

          Download Submit

        • \Users\Admin\jvjaop.exe
          Filesize

          192KB

          MD5

          4d417cd2ca7c7c9029d7f97fdf7a9389

          SHA1

          9fd63b597e880a024d3196fea975121c1e5df6a7

          SHA256

          ab1ec7d613859820b53c5afe30d22dd21cc919e611a519d84083788730628a6b

          SHA512

          7b27d1293e0826990074ef3012681ed2dbc6b2c232e7941f7cd6a8f8b23aaf795daf4e3f71d94b728fc8600c28aaf47e9397f8866d86c2994564a2d394889075

          Download Submit

        • \Users\Admin\jvjaop.exe
          Filesize

          192KB

          MD5

          4d417cd2ca7c7c9029d7f97fdf7a9389

          SHA1

          9fd63b597e880a024d3196fea975121c1e5df6a7

          SHA256

          ab1ec7d613859820b53c5afe30d22dd21cc919e611a519d84083788730628a6b

          SHA512

          7b27d1293e0826990074ef3012681ed2dbc6b2c232e7941f7cd6a8f8b23aaf795daf4e3f71d94b728fc8600c28aaf47e9397f8866d86c2994564a2d394889075

          Download Submit

        • memory/1808-56-0x0000000075211000-0x0000000075213000-memory.dmp

          Filesize

          8KB

          Download