Overview

overview

10

Static

static

e9b3b58f3a...80.exe

windows7-x64

10

e9b3b58f3a...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9b3b58f3a7a956cff3c6cab607a669805cda9d4672bc89257a38ba906454c80.exe

  • Size

    124KB

  • MD5

    a11c45ed535ae1270af000465bae4020

  • SHA1

    cc4eefa00b16df4037949162757b2b7bfd600839

  • SHA256

    e9b3b58f3a7a956cff3c6cab607a669805cda9d4672bc89257a38ba906454c80

  • SHA512

    e035f19f362a69abfbff8f6e127ca9a756702d91d83cdd4133f2b4b71a62ee05704f2306988ad795eeca67cae920edd21d766b9877facf91675d25b782b42b0e

  • SSDEEP

    1536:E1JzM5YxhhRF/N69Be3O4Ga+FE1jKKvRgrkOSoqPNeG0h/y:yxeYxhh3FoI3O41+F0kSjIq

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9b3b58f3a7a956cff3c6cab607a669805cda9d4672bc89257a38ba906454c80.exe
    "C:\Users\Admin\AppData\Local\Temp\e9b3b58f3a7a956cff3c6cab607a669805cda9d4672bc89257a38ba906454c80.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\yhmuez.exe
      "C:\Users\Admin\yhmuez.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\yhmuez.exe
    Filesize

    124KB

    MD5

    0b7d829cb1998c1c6c1974b24d521d11

    SHA1

    cf2786c0f09a83d75ef8831847f88b74dc19df7c

    SHA256

    7c2e6282ab840e88f08099e540bdce667cecf78ae84d717f33a6bed9049a88ec

    SHA512

    8da4137b849323ec1513af2f5f75e5736fe972177f6c41a1c7bfb68583af854e0aa3e4e20dd151dfaac14e860d46442064bda4985f8257c58ad1a14792a8621a

    Download Submit

  • C:\Users\Admin\yhmuez.exe
    Filesize

    124KB

    MD5

    0b7d829cb1998c1c6c1974b24d521d11

    SHA1

    cf2786c0f09a83d75ef8831847f88b74dc19df7c

    SHA256

    7c2e6282ab840e88f08099e540bdce667cecf78ae84d717f33a6bed9049a88ec

    SHA512

    8da4137b849323ec1513af2f5f75e5736fe972177f6c41a1c7bfb68583af854e0aa3e4e20dd151dfaac14e860d46442064bda4985f8257c58ad1a14792a8621a

    Download Submit

  • memory/4636-134-0x0000000000000000-mapping.dmp

    Download