Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 01:45

General

  • Target

    1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe

  • Size

    208KB

  • MD5

    4a40e42ac66208fe0a1b9c5f49e74125

  • SHA1

    2bc4dc35ea77048190841e3c963a8ef2fd567501

  • SHA256

    1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70

  • SHA512

    69e2fadc09470cd19a9b04ee8e8683de768b61d16cbb81db0a9752041fa312e6f64d71f63c89a2269f21b772f941481dcbfdebda5d9d550a0c2e7fb734794282

  • SSDEEP

    6144:9oAsRuQmToYfPeffkxsthVIVO+b/RnmbT4PW9UmE7ldESgvSAOugw4:9ouQmToYfPeffkxsthVIVO+b/9mbkPWI

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe
    "C:\Users\Admin\AppData\Local\Temp\1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\doaagic.exe
      "C:\Users\Admin\doaagic.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\doaagic.exe

    Filesize

    208KB

    MD5

    e67bd6fe6ae0d870812f514c7a4f85d2

    SHA1

    d785f912a0c2173075e619416902048fc6793ee4

    SHA256

    21b845359a46031b00f95b688afcc6ff5d5759776b5da8723a39cc0425ece6be

    SHA512

    c347101996eb87704591d7f51059cd1ab55757487550b48f19464f88307e0b51424287cf202b2cb864f969656efdd98b9cd1f016af87f0845e8007db3adb9494

  • C:\Users\Admin\doaagic.exe

    Filesize

    208KB

    MD5

    e67bd6fe6ae0d870812f514c7a4f85d2

    SHA1

    d785f912a0c2173075e619416902048fc6793ee4

    SHA256

    21b845359a46031b00f95b688afcc6ff5d5759776b5da8723a39cc0425ece6be

    SHA512

    c347101996eb87704591d7f51059cd1ab55757487550b48f19464f88307e0b51424287cf202b2cb864f969656efdd98b9cd1f016af87f0845e8007db3adb9494