Overview

overview

10

Static

static

5361033e49...a5.exe

windows7-x64

10

5361033e49...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5361033e4924b63d040dba78e81eff9cdfdfc59343b3ad4e1f7da7cc23900ca5.exe

  • Size

    292KB

  • MD5

    a28be5d5de12ab68efb32540b245c820

  • SHA1

    213c7423cbf1d8127fce79e10cc5af2683e508e1

  • SHA256

    5361033e4924b63d040dba78e81eff9cdfdfc59343b3ad4e1f7da7cc23900ca5

  • SHA512

    aaf98f2cd65c1f51a85b6937e75897446c2f0552da34de128058a9ac9e1bfc13372bc5e4c331dde86c9475f7776c60bac635901b28721452fa9f259c89ef7218

  • SSDEEP

    6144:4aczAnqtrZjQCBBvfmge2uXOyDDaX66UEbuGHAceNEFKLrLRKD7ucfnxh4B7yCJe:4a3nqttp9K5CooEeOnio

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 17 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5361033e4924b63d040dba78e81eff9cdfdfc59343b3ad4e1f7da7cc23900ca5.exe
    "C:\Users\Admin\AppData\Local\Temp\5361033e4924b63d040dba78e81eff9cdfdfc59343b3ad4e1f7da7cc23900ca5.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\gyfaef.exe
      "C:\Users\Admin\gyfaef.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2132

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\gyfaef.exe
    Filesize

    292KB

    MD5

    c48e5bb0f3f7e11d1be3a86838108b5e

    SHA1

    fd779a484eb95e5297d1e0d486304271f7c58c74

    SHA256

    f6efdf0c5ee19b3ba99bd5575699f32c6fd8c0cb060b9ec088d05801cda4d9d7

    SHA512

    37ea09ad747e3bcd2494db3e2864aa51b5060cf02b66100cd64072c5d788cd6e3172a393dcb0b7106e51f3ed500a699c390abaa05441f1034c9490dedb6f9ac9

    Download Submit

  • C:\Users\Admin\gyfaef.exe
    Filesize

    292KB

    MD5

    c48e5bb0f3f7e11d1be3a86838108b5e

    SHA1

    fd779a484eb95e5297d1e0d486304271f7c58c74

    SHA256

    f6efdf0c5ee19b3ba99bd5575699f32c6fd8c0cb060b9ec088d05801cda4d9d7

    SHA512

    37ea09ad747e3bcd2494db3e2864aa51b5060cf02b66100cd64072c5d788cd6e3172a393dcb0b7106e51f3ed500a699c390abaa05441f1034c9490dedb6f9ac9

    Download Submit