Overview

overview

10

Static

static

8e2dc3c109...4f.exe

windows7-x64

10

8e2dc3c109...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e2dc3c10913afe1cc5f9922979f5f751622d761c02d1149ae8a62891f82f04f.exe

  • Size

    104KB

  • MD5

    78de4fa2171014ece616be126a7c38a0

  • SHA1

    e3b3c5ff9b5bc3cd2028beb8339bbb63d979f2c9

  • SHA256

    8e2dc3c10913afe1cc5f9922979f5f751622d761c02d1149ae8a62891f82f04f

  • SHA512

    216bbd940182b92a370d98b6ead593eac0088055f0be726c90f6a9473d287f205a776d31aa309c5543674d923dd93c77e256a201c22f31ce3223a5fd2e86e0b9

  • SSDEEP

    1536:Lihvr9fIieh6hC3KwTHlyHcw1rqVjSxakAyBGWcJ5JZl:uhTlVehWwTHlyHBQNSxKJZl

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e2dc3c10913afe1cc5f9922979f5f751622d761c02d1149ae8a62891f82f04f.exe
    "C:\Users\Admin\AppData\Local\Temp\8e2dc3c10913afe1cc5f9922979f5f751622d761c02d1149ae8a62891f82f04f.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\hfbon.exe
      "C:\Users\Admin\hfbon.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\hfbon.exe
    Filesize

    104KB

    MD5

    8e5cb0d8f20c48fec2f5248b72328eae

    SHA1

    b04fe2dac602df2759bfba0383af2a95dcbd6c28

    SHA256

    ba33be1cd367a95dddce8657f1c877e8742c670da3bf2523cf1a87c29e0ef036

    SHA512

    8a4bc309b853cb8afc667d52b330d2e42aa6339ce248ae1ca431786dfcff6d4d70202952472e4b2c0c66d4aa78144c3999f6be44702fe392b6b48bfb551b1fc1

    Download Submit

  • C:\Users\Admin\hfbon.exe
    Filesize

    104KB

    MD5

    8e5cb0d8f20c48fec2f5248b72328eae

    SHA1

    b04fe2dac602df2759bfba0383af2a95dcbd6c28

    SHA256

    ba33be1cd367a95dddce8657f1c877e8742c670da3bf2523cf1a87c29e0ef036

    SHA512

    8a4bc309b853cb8afc667d52b330d2e42aa6339ce248ae1ca431786dfcff6d4d70202952472e4b2c0c66d4aa78144c3999f6be44702fe392b6b48bfb551b1fc1

    Download Submit