Overview

overview

10

Static

static

bebac0ab8a...55.exe

windows7-x64

10

bebac0ab8a...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bebac0ab8aeebbfc64a0c2d0644b99f1c7f720bff4219c59343f74b689ce2d55.exe

  • Size

    116KB

  • MD5

    54368c907f0cf494f91f2478490dc6e0

  • SHA1

    ca436cb2a30d3c61ed7b7653c7506dce4933b068

  • SHA256

    bebac0ab8aeebbfc64a0c2d0644b99f1c7f720bff4219c59343f74b689ce2d55

  • SHA512

    861eaa565a5dbd643640ef0f1882d44ca9aa34a32d923d62f30cfb26a6200f142d0fdda4b8ae4f573fbc7ad8a1307b1b076905313df42d9025edb581091d09f9

  • SSDEEP

    1536:qUsNo7v2V46QhdrSXt+XazoFm+D+w+j+4+1kbiMUer7n9sqAEFO7F2Mlb:Vlb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bebac0ab8aeebbfc64a0c2d0644b99f1c7f720bff4219c59343f74b689ce2d55.exe
    "C:\Users\Admin\AppData\Local\Temp\bebac0ab8aeebbfc64a0c2d0644b99f1c7f720bff4219c59343f74b689ce2d55.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\meari.exe
      "C:\Users\Admin\meari.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\meari.exe
    Filesize

    116KB

    MD5

    c8902ab1862ccb3e4aec9f0c1bf3ed91

    SHA1

    8f428d2a05e3556b025e5741e5989f72950821f5

    SHA256

    e47d85bf06c622c1912e19fe734b52e1406f35a5ee910b3b02f4107fc1d741e3

    SHA512

    d7bd2550d8ee466da28fb9911af9dddf72bd1ac5b8d93b25f409dbc05da05e76531b17aaef527c1d878ef8c1c3bcad18f1c21a771a19daa50fabee3db4803d56

    Download Submit

  • C:\Users\Admin\meari.exe
    Filesize

    116KB

    MD5

    c8902ab1862ccb3e4aec9f0c1bf3ed91

    SHA1

    8f428d2a05e3556b025e5741e5989f72950821f5

    SHA256

    e47d85bf06c622c1912e19fe734b52e1406f35a5ee910b3b02f4107fc1d741e3

    SHA512

    d7bd2550d8ee466da28fb9911af9dddf72bd1ac5b8d93b25f409dbc05da05e76531b17aaef527c1d878ef8c1c3bcad18f1c21a771a19daa50fabee3db4803d56

    Download Submit

  • \Users\Admin\meari.exe
    Filesize

    116KB

    MD5

    c8902ab1862ccb3e4aec9f0c1bf3ed91

    SHA1

    8f428d2a05e3556b025e5741e5989f72950821f5

    SHA256

    e47d85bf06c622c1912e19fe734b52e1406f35a5ee910b3b02f4107fc1d741e3

    SHA512

    d7bd2550d8ee466da28fb9911af9dddf72bd1ac5b8d93b25f409dbc05da05e76531b17aaef527c1d878ef8c1c3bcad18f1c21a771a19daa50fabee3db4803d56

    Download Submit

  • \Users\Admin\meari.exe
    Filesize

    116KB

    MD5

    c8902ab1862ccb3e4aec9f0c1bf3ed91

    SHA1

    8f428d2a05e3556b025e5741e5989f72950821f5

    SHA256

    e47d85bf06c622c1912e19fe734b52e1406f35a5ee910b3b02f4107fc1d741e3

    SHA512

    d7bd2550d8ee466da28fb9911af9dddf72bd1ac5b8d93b25f409dbc05da05e76531b17aaef527c1d878ef8c1c3bcad18f1c21a771a19daa50fabee3db4803d56

    Download Submit

  • memory/1600-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

    Filesize

    8KB

    Download