Overview

overview

10

Static

static

92fb51b9e7...22.exe

windows7-x64

10

92fb51b9e7...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 16:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    92fb51b9e743244dc6017c1d139ee47b8029a71d2d83d0c2c7622d958c001d22.exe

  • Size

    256KB

  • MD5

    a3a8a7cebcfe6ec1e4b114b5245cc663

  • SHA1

    1d323abe983e699a39cbedd5eaa42d43aa115e43

  • SHA256

    92fb51b9e743244dc6017c1d139ee47b8029a71d2d83d0c2c7622d958c001d22

  • SHA512

    51faa9c804ed8fe3d456066a935c6a97d40b9fcdbf7672771687dc365ce6e6bed79fc506622e0ff156218d1a98da97ca996396e1e47d96122f704507dadcbfd5

  • SSDEEP

    3072:U3ZVoelPlp/nskpCUv5T79fzCC/M7BFsqMabeYiUDoZG533ygo:CftPlptNvl9fm0UBFsqMabeYiUDogpF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92fb51b9e743244dc6017c1d139ee47b8029a71d2d83d0c2c7622d958c001d22.exe
    "C:\Users\Admin\AppData\Local\Temp\92fb51b9e743244dc6017c1d139ee47b8029a71d2d83d0c2c7622d958c001d22.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Users\Admin\ypkuir.exe
      "C:\Users\Admin\ypkuir.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4312

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\ypkuir.exe
          Filesize

          256KB

          MD5

          31e43587387c056b8d75fd5f3df767ca

          SHA1

          d27a5bf0dce2f0371b007509aa064ee291ee0cc7

          SHA256

          97a4d6110e0a21b6671d5245b1ad987cebcf608db574651fc39774ab06791254

          SHA512

          ebe362b08021a05e37004d7a8454aedc5a72a6a6572d8cafbe81b41cabafdc70b217ce229493ee15bce11655df3398adf9c37824961102eaf0288a9fc9c4935b

          Download Submit

        • C:\Users\Admin\ypkuir.exe
          Filesize

          256KB

          MD5

          31e43587387c056b8d75fd5f3df767ca

          SHA1

          d27a5bf0dce2f0371b007509aa064ee291ee0cc7

          SHA256

          97a4d6110e0a21b6671d5245b1ad987cebcf608db574651fc39774ab06791254

          SHA512

          ebe362b08021a05e37004d7a8454aedc5a72a6a6572d8cafbe81b41cabafdc70b217ce229493ee15bce11655df3398adf9c37824961102eaf0288a9fc9c4935b

          Download Submit