Overview

overview

10

Static

static

aefeedc2b9...91.exe

windows7-x64

10

aefeedc2b9...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 10:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aefeedc2b938000040dbaa741b512f41b88dfdf7f2554dc7953dc84d414b6291.exe

  • Size

    148KB

  • MD5

    a0743c35796426e4293857be4136c519

  • SHA1

    eac65c8eda8c2c4fc251c9cf3e6282bbfefe29d4

  • SHA256

    aefeedc2b938000040dbaa741b512f41b88dfdf7f2554dc7953dc84d414b6291

  • SHA512

    0af0a57efbb4324228ee0c79ce9d9f09522cb0b347294f21ff8d8d40f75216b9cf7abdcacedb9a663cc05070fbb00085079d4aa666545ce5332988875718c52a

  • SSDEEP

    1536:lHcMWcJzaqBVJO7l2bTG9Rm1wqPKkkYW7QBFyaXHy6iSnLoHB3tI:ZcbcwqBVJzbTG9Rm1wkkYZzHUt

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aefeedc2b938000040dbaa741b512f41b88dfdf7f2554dc7953dc84d414b6291.exe
    "C:\Users\Admin\AppData\Local\Temp\aefeedc2b938000040dbaa741b512f41b88dfdf7f2554dc7953dc84d414b6291.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\bmlar.exe
      "C:\Users\Admin\bmlar.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1408

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\bmlar.exe
          Filesize

          148KB

          MD5

          e428222c54e88b67af25310b51b8271e

          SHA1

          da92b4608a992f1eb7d5c6159bcd809040845e10

          SHA256

          26d3d78118920f787c3372bc802a7d3d0b37f1a427175e3a78bc9df65b79b06a

          SHA512

          4f525d948f9710778dcd6513c9e8034a57e7f2d8a68c506e8193ab5f77e0a7b45626cd5d0c2269b6742a7ae46bac085c7cd5cf9fc38e24cd583d39d553b3539b

          Download Submit

        • C:\Users\Admin\bmlar.exe
          Filesize

          148KB

          MD5

          e428222c54e88b67af25310b51b8271e

          SHA1

          da92b4608a992f1eb7d5c6159bcd809040845e10

          SHA256

          26d3d78118920f787c3372bc802a7d3d0b37f1a427175e3a78bc9df65b79b06a

          SHA512

          4f525d948f9710778dcd6513c9e8034a57e7f2d8a68c506e8193ab5f77e0a7b45626cd5d0c2269b6742a7ae46bac085c7cd5cf9fc38e24cd583d39d553b3539b

          Download Submit

        • \Users\Admin\bmlar.exe
          Filesize

          148KB

          MD5

          e428222c54e88b67af25310b51b8271e

          SHA1

          da92b4608a992f1eb7d5c6159bcd809040845e10

          SHA256

          26d3d78118920f787c3372bc802a7d3d0b37f1a427175e3a78bc9df65b79b06a

          SHA512

          4f525d948f9710778dcd6513c9e8034a57e7f2d8a68c506e8193ab5f77e0a7b45626cd5d0c2269b6742a7ae46bac085c7cd5cf9fc38e24cd583d39d553b3539b

          Download Submit

        • \Users\Admin\bmlar.exe
          Filesize

          148KB

          MD5

          e428222c54e88b67af25310b51b8271e

          SHA1

          da92b4608a992f1eb7d5c6159bcd809040845e10

          SHA256

          26d3d78118920f787c3372bc802a7d3d0b37f1a427175e3a78bc9df65b79b06a

          SHA512

          4f525d948f9710778dcd6513c9e8034a57e7f2d8a68c506e8193ab5f77e0a7b45626cd5d0c2269b6742a7ae46bac085c7cd5cf9fc38e24cd583d39d553b3539b

          Download Submit

        • memory/1304-56-0x00000000762E1000-0x00000000762E3000-memory.dmp

          Filesize

          8KB

          Download