Overview

overview

10

Static

static

b3760b18ee...0e.exe

windows7-x64

10

b3760b18ee...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3760b18ee2cf78a4f1ac781bc18a6b0581b75e5610b3165637d4c3e67dcd80e.exe

  • Size

    176KB

  • MD5

    422994293cf16e314000e20b1e386d6d

  • SHA1

    5f8ad51c84ea1f2329cba7b05b2f573f6f1b59ff

  • SHA256

    b3760b18ee2cf78a4f1ac781bc18a6b0581b75e5610b3165637d4c3e67dcd80e

  • SHA512

    a80832c57042ede9f1bac8bef659204089ac732990f4d580d9becfb48b843cf0278e7969e1b9b5371400ca7f7af64047a0a8bfe0668fa65c6f617f3c24a21f04

  • SSDEEP

    3072:T8UDDqu3mQj0LcNTLsRASWukki7+f4aqosA:T8pQj0SARi7+f4aqosA

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3760b18ee2cf78a4f1ac781bc18a6b0581b75e5610b3165637d4c3e67dcd80e.exe
    "C:\Users\Admin\AppData\Local\Temp\b3760b18ee2cf78a4f1ac781bc18a6b0581b75e5610b3165637d4c3e67dcd80e.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\wuoabol.exe
      "C:\Users\Admin\wuoabol.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1172
      2⤵
      • Program crash
      PID:4872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5080 -ip 5080
    1⤵
      PID:4344

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\wuoabol.exe
      Filesize

      176KB

      MD5

      f517b1e4107fabdd0259723948210e8f

      SHA1

      254fe3e2aea7b3d0941e53d7692d1bb071c65b87

      SHA256

      3b181b6d94b60c89c637638398437689883da3bfcd0e7921da2276b730062ef6

      SHA512

      4eaba08c3099c93ebfe27f5559535435e7aa3ee0bab3033d79b9a247c7319513b519a9fe47164122bfbb4f27d02b424fcc72746542eb9d8b110baf8c774cc844

      Download Submit

    • C:\Users\Admin\wuoabol.exe
      Filesize

      176KB

      MD5

      f517b1e4107fabdd0259723948210e8f

      SHA1

      254fe3e2aea7b3d0941e53d7692d1bb071c65b87

      SHA256

      3b181b6d94b60c89c637638398437689883da3bfcd0e7921da2276b730062ef6

      SHA512

      4eaba08c3099c93ebfe27f5559535435e7aa3ee0bab3033d79b9a247c7319513b519a9fe47164122bfbb4f27d02b424fcc72746542eb9d8b110baf8c774cc844

      Download Submit