Overview

overview

10

Static

static

eb66c8a9e0...fa.exe

windows7-x64

10

eb66c8a9e0...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    77s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb66c8a9e00ec9723dbd32d592e528b41b4c7a96270cd1725f5450c36e92ccfa.exe

  • Size

    272KB

  • MD5

    96d355cbc2c27c59f268939dedab1284

  • SHA1

    8ae7c213914089266b967df8f5d06019ffe9ad7e

  • SHA256

    eb66c8a9e00ec9723dbd32d592e528b41b4c7a96270cd1725f5450c36e92ccfa

  • SHA512

    18dbcab99f12e7846bfa5c0d2cb0b27721c6fb4116aefe9963e1a8655c629f416812963ddcf2e49dbaf9ffba7a3333a085530cda4164178cd92073c37622f28b

  • SSDEEP

    6144:MjFcrymU8iHOADP0UfV3SHWPIxXZgO+VeR8RUl:VXUfJSj+R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb66c8a9e00ec9723dbd32d592e528b41b4c7a96270cd1725f5450c36e92ccfa.exe
    "C:\Users\Admin\AppData\Local\Temp\eb66c8a9e00ec9723dbd32d592e528b41b4c7a96270cd1725f5450c36e92ccfa.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\caojei.exe
      "C:\Users\Admin\caojei.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\caojei.exe
    Filesize

    272KB

    MD5

    857409145260e2512c97fd387fa4b828

    SHA1

    e9517fdd847e10d58cde6e012bd1ad7f6695b294

    SHA256

    97478241d88fe11de4242a0686e678ca2c368746eee1f6252250bcbf016d1551

    SHA512

    964af9001cab6eabe04dae6364314868eb4b1a878181765de3edb242532a99061c2c7ddae4c8054f704381650ad169b78ba0eda0b56f5b338620485c19bceda5

    Download Submit

  • C:\Users\Admin\caojei.exe
    Filesize

    272KB

    MD5

    857409145260e2512c97fd387fa4b828

    SHA1

    e9517fdd847e10d58cde6e012bd1ad7f6695b294

    SHA256

    97478241d88fe11de4242a0686e678ca2c368746eee1f6252250bcbf016d1551

    SHA512

    964af9001cab6eabe04dae6364314868eb4b1a878181765de3edb242532a99061c2c7ddae4c8054f704381650ad169b78ba0eda0b56f5b338620485c19bceda5

    Download Submit

  • \Users\Admin\caojei.exe
    Filesize

    272KB

    MD5

    857409145260e2512c97fd387fa4b828

    SHA1

    e9517fdd847e10d58cde6e012bd1ad7f6695b294

    SHA256

    97478241d88fe11de4242a0686e678ca2c368746eee1f6252250bcbf016d1551

    SHA512

    964af9001cab6eabe04dae6364314868eb4b1a878181765de3edb242532a99061c2c7ddae4c8054f704381650ad169b78ba0eda0b56f5b338620485c19bceda5

    Download Submit

  • \Users\Admin\caojei.exe
    Filesize

    272KB

    MD5

    857409145260e2512c97fd387fa4b828

    SHA1

    e9517fdd847e10d58cde6e012bd1ad7f6695b294

    SHA256

    97478241d88fe11de4242a0686e678ca2c368746eee1f6252250bcbf016d1551

    SHA512

    964af9001cab6eabe04dae6364314868eb4b1a878181765de3edb242532a99061c2c7ddae4c8054f704381650ad169b78ba0eda0b56f5b338620485c19bceda5

    Download Submit

  • memory/1800-56-0x00000000758C1000-0x00000000758C3000-memory.dmp

    Filesize

    8KB

    Download