Overview

overview

10

Static

static

002b1ea364...72.exe

windows7-x64

10

002b1ea364...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    002b1ea364d98cb94d90af4bc17b169b022858631a4aca3d8297216cccf89372.exe

  • Size

    104KB

  • MD5

    928737778eb27eaa804cb0de09981cd0

  • SHA1

    d71702bb32cc1d1dc954e851586e01ecf23e512c

  • SHA256

    002b1ea364d98cb94d90af4bc17b169b022858631a4aca3d8297216cccf89372

  • SHA512

    ba0f52b95d8dc066fd230e2e8d589d87bdd951c37c35b304e80273b57141694f68e466a54a4eabd2bde44461b395358b14c420c9258968ce5d0f1eb9d66fc365

  • SSDEEP

    1536:T253fElJZScK43sKeWjwJBAOs9G2HaQNsMj3i6E3j:a53fElJkIsK0IHxN/Oj

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\002b1ea364d98cb94d90af4bc17b169b022858631a4aca3d8297216cccf89372.exe
    "C:\Users\Admin\AppData\Local\Temp\002b1ea364d98cb94d90af4bc17b169b022858631a4aca3d8297216cccf89372.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\juefuk.exe
      "C:\Users\Admin\juefuk.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\juefuk.exe
    Filesize

    104KB

    MD5

    0a40ab14fc42cb2b9650331845192cb5

    SHA1

    4796871a515f4271495884b700f2ab10f70009af

    SHA256

    8cc61a37fa5c19c717c8223584d7a183e2195f6bc2d3fb061c71e7184320eb02

    SHA512

    c974f57bc1c26684dae427dfada84fd6ad66c12bcd90fd11900f932e1e18ad0b819bbe3c938015ce43ff968fca53ef6a73584800e2c603d95460e8ad7d4df252

    Download Submit

  • C:\Users\Admin\juefuk.exe
    Filesize

    104KB

    MD5

    0a40ab14fc42cb2b9650331845192cb5

    SHA1

    4796871a515f4271495884b700f2ab10f70009af

    SHA256

    8cc61a37fa5c19c717c8223584d7a183e2195f6bc2d3fb061c71e7184320eb02

    SHA512

    c974f57bc1c26684dae427dfada84fd6ad66c12bcd90fd11900f932e1e18ad0b819bbe3c938015ce43ff968fca53ef6a73584800e2c603d95460e8ad7d4df252

    Download Submit

  • \Users\Admin\juefuk.exe
    Filesize

    104KB

    MD5

    0a40ab14fc42cb2b9650331845192cb5

    SHA1

    4796871a515f4271495884b700f2ab10f70009af

    SHA256

    8cc61a37fa5c19c717c8223584d7a183e2195f6bc2d3fb061c71e7184320eb02

    SHA512

    c974f57bc1c26684dae427dfada84fd6ad66c12bcd90fd11900f932e1e18ad0b819bbe3c938015ce43ff968fca53ef6a73584800e2c603d95460e8ad7d4df252

    Download Submit

  • \Users\Admin\juefuk.exe
    Filesize

    104KB

    MD5

    0a40ab14fc42cb2b9650331845192cb5

    SHA1

    4796871a515f4271495884b700f2ab10f70009af

    SHA256

    8cc61a37fa5c19c717c8223584d7a183e2195f6bc2d3fb061c71e7184320eb02

    SHA512

    c974f57bc1c26684dae427dfada84fd6ad66c12bcd90fd11900f932e1e18ad0b819bbe3c938015ce43ff968fca53ef6a73584800e2c603d95460e8ad7d4df252

    Download Submit

  • memory/900-56-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1728-59-0x0000000000000000-mapping.dmp

    Download