Overview

overview

10

Static

static

e6173e325e...2b.exe

windows7-x64

10

e6173e325e...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe

  • Size

    272KB

  • MD5

    4e5cd7aab2d7865018ce6724740bcc80

  • SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

  • SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

  • SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

  • SSDEEP

    3072:0jsxTNg91R0FvbVJznCRcy/hqF69MSs/PLLK+ammU3YwgTeA3P9:ZzS8fznHC39G/PLLKU3YwgT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe
    "C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\youwig.exe
      "C:\Users\Admin\youwig.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1444

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\youwig.exe
    Filesize

    272KB

    MD5

    4e5cd7aab2d7865018ce6724740bcc80

    SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

    SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

    SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

    Download Submit

  • C:\Users\Admin\youwig.exe
    Filesize

    272KB

    MD5

    4e5cd7aab2d7865018ce6724740bcc80

    SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

    SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

    SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

    Download Submit

  • \Users\Admin\youwig.exe
    Filesize

    272KB

    MD5

    4e5cd7aab2d7865018ce6724740bcc80

    SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

    SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

    SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

    Download Submit

  • \Users\Admin\youwig.exe
    Filesize

    272KB

    MD5

    4e5cd7aab2d7865018ce6724740bcc80

    SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

    SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

    SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

    Download Submit

  • memory/1444-59-0x0000000000000000-mapping.dmp

    Download

  • memory/2020-56-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-65-0x00000000741C1000-0x00000000741C3000-memory.dmp

    Filesize

    8KB

    Download