Overview

overview

10

Static

static

67ae7b587e...a5.exe

windows7-x64

10

67ae7b587e...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67ae7b587ee4aeaeaba84516a9ca6f61b950e264ad616be723e8c65921a84fa5.exe

  • Size

    128KB

  • MD5

    83b4d0b1df3b31fa7d06552e329bcd60

  • SHA1

    3d6afb42b15c330f4a59dd360e6b0520223ca1ef

  • SHA256

    67ae7b587ee4aeaeaba84516a9ca6f61b950e264ad616be723e8c65921a84fa5

  • SHA512

    0899d2a51736642e0f2091c34da399465fb8f6283692fe074bd9b88d1af790f8ebeab4e69275dac0316e0aa4676081e89d70da97c608c70e9c7cc586d17e017a

  • SSDEEP

    1536:GocwYl02OnFYJiq6H48O6j6/t66366Z6Jz36k6eA66KD6sqG/Oji6FA8HxAH6xME:JXD2OnF4S3e50jMZZZZWMkIJ9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67ae7b587ee4aeaeaba84516a9ca6f61b950e264ad616be723e8c65921a84fa5.exe
    "C:\Users\Admin\AppData\Local\Temp\67ae7b587ee4aeaeaba84516a9ca6f61b950e264ad616be723e8c65921a84fa5.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\waiobeh.exe
      "C:\Users\Admin\waiobeh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\waiobeh.exe
    Filesize

    128KB

    MD5

    9c43fefb5189cd00724224691056a5c5

    SHA1

    8ad910896332bb79f85727554879a4b27f936fc2

    SHA256

    76045b1726296366d1f13f3d6c2ad7080c72aa67fc20eea6379a8f915c372060

    SHA512

    8ed9eff92ceea43028d1333a28ce0f6b82736518e7aa32e74cb50b76813624f39d4250354d40157c9788d78cb5b04382d8af3f27c1ef848fbe45008f68eb4751

    Download Submit

  • C:\Users\Admin\waiobeh.exe
    Filesize

    128KB

    MD5

    9c43fefb5189cd00724224691056a5c5

    SHA1

    8ad910896332bb79f85727554879a4b27f936fc2

    SHA256

    76045b1726296366d1f13f3d6c2ad7080c72aa67fc20eea6379a8f915c372060

    SHA512

    8ed9eff92ceea43028d1333a28ce0f6b82736518e7aa32e74cb50b76813624f39d4250354d40157c9788d78cb5b04382d8af3f27c1ef848fbe45008f68eb4751

    Download Submit

  • memory/1780-134-0x0000000000000000-mapping.dmp

    Download