Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 01:39

General

  • Target

    6844c95e4ed873e55a8b8625f3ef37a61027b6122c218f64d4040373f1c8a193.exe

  • Size

    152KB

  • MD5

    8110e09f22a3e291b4877c1e1f54ffd2

  • SHA1

    2283ffc5fda725ff12a418755313571065115f41

  • SHA256

    6844c95e4ed873e55a8b8625f3ef37a61027b6122c218f64d4040373f1c8a193

  • SHA512

    3d3c5a43f2851558733f825acd073765845551b7ad9cf3019bf3c61c792dca10224da928c6834aa57ceac274a12e9cde2f184ca243e5cf8c54503880c4ee00b9

  • SSDEEP

    3072:UiSzMr/Yt8wZfLOweRty9bWT4Ni4oQZiEWV:IzMrQ+YBeW96TgeWS

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6844c95e4ed873e55a8b8625f3ef37a61027b6122c218f64d4040373f1c8a193.exe
    "C:\Users\Admin\AppData\Local\Temp\6844c95e4ed873e55a8b8625f3ef37a61027b6122c218f64d4040373f1c8a193.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\piiwi.exe
      "C:\Users\Admin\piiwi.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\piiwi.exe

    Filesize

    152KB

    MD5

    d14d1e96a5ff766ba0c84b28a41da519

    SHA1

    521600538133a7357cd0ac13b39d53a0157c67e3

    SHA256

    8e29921d891fa65ca21362fffefc9e410d3ac052fd56b513a3c8e107cd7eb3db

    SHA512

    e57f37fa81f8085cbe0db62345ca7a9c0bbfb1b6ad0aa5ac653e9935212a889837cb22cc04b81369fd04538945e07bf9033250c0a283f0a109b84d367a471dcd

  • C:\Users\Admin\piiwi.exe

    Filesize

    152KB

    MD5

    d14d1e96a5ff766ba0c84b28a41da519

    SHA1

    521600538133a7357cd0ac13b39d53a0157c67e3

    SHA256

    8e29921d891fa65ca21362fffefc9e410d3ac052fd56b513a3c8e107cd7eb3db

    SHA512

    e57f37fa81f8085cbe0db62345ca7a9c0bbfb1b6ad0aa5ac653e9935212a889837cb22cc04b81369fd04538945e07bf9033250c0a283f0a109b84d367a471dcd