Overview

overview

10

Static

static

a98a5993f1...15.exe

windows7-x64

10

a98a5993f1...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a98a5993f18212eeee6f15f69778b978bb9f8246eee8b1403f547677c8769915.exe

  • Size

    88KB

  • MD5

    91c27587ccd95a28863ddc8fb60b6ea0

  • SHA1

    dc065b31e09bd3f3d0672bbd6c4226a7d40f11e5

  • SHA256

    a98a5993f18212eeee6f15f69778b978bb9f8246eee8b1403f547677c8769915

  • SHA512

    1e7d33d69d2c131f163bd6ec9f9acbe7ac6b1cb6060f8ab8976f88c03c4b4cb0028e71cb13a5a73c0cf6e2ff9ae0b7f620e079ba4c5911871233b52fbd9f9a03

  • SSDEEP

    1536:/fuvfCqG84caEz0+nCsNAhz74yWzVaCQdGV4KW:O684vz74yOsrG5W

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a98a5993f18212eeee6f15f69778b978bb9f8246eee8b1403f547677c8769915.exe
    "C:\Users\Admin\AppData\Local\Temp\a98a5993f18212eeee6f15f69778b978bb9f8246eee8b1403f547677c8769915.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Users\Admin\yixaw.exe
      "C:\Users\Admin\yixaw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\yixaw.exe
    Filesize

    88KB

    MD5

    15784e15a31fc046057e6d39960b378a

    SHA1

    ed040835dcec8a660e5798e79f21b0a0ee64c06e

    SHA256

    4ba671e5fbb2caeb135dbbfcba2ef017b43f677b17f9319b76aee620c05388dc

    SHA512

    35d56d371d63a04f6c2184e7355a37e23aa79cf1def5e2cf2cc43822f9574de6ba979b17347d8b2f41e635515a3c17c9c754da6aae27777faab7ad9c8f95fa51

    Download Submit

  • C:\Users\Admin\yixaw.exe
    Filesize

    88KB

    MD5

    15784e15a31fc046057e6d39960b378a

    SHA1

    ed040835dcec8a660e5798e79f21b0a0ee64c06e

    SHA256

    4ba671e5fbb2caeb135dbbfcba2ef017b43f677b17f9319b76aee620c05388dc

    SHA512

    35d56d371d63a04f6c2184e7355a37e23aa79cf1def5e2cf2cc43822f9574de6ba979b17347d8b2f41e635515a3c17c9c754da6aae27777faab7ad9c8f95fa51

    Download Submit

  • \Users\Admin\yixaw.exe
    Filesize

    88KB

    MD5

    15784e15a31fc046057e6d39960b378a

    SHA1

    ed040835dcec8a660e5798e79f21b0a0ee64c06e

    SHA256

    4ba671e5fbb2caeb135dbbfcba2ef017b43f677b17f9319b76aee620c05388dc

    SHA512

    35d56d371d63a04f6c2184e7355a37e23aa79cf1def5e2cf2cc43822f9574de6ba979b17347d8b2f41e635515a3c17c9c754da6aae27777faab7ad9c8f95fa51

    Download Submit

  • \Users\Admin\yixaw.exe
    Filesize

    88KB

    MD5

    15784e15a31fc046057e6d39960b378a

    SHA1

    ed040835dcec8a660e5798e79f21b0a0ee64c06e

    SHA256

    4ba671e5fbb2caeb135dbbfcba2ef017b43f677b17f9319b76aee620c05388dc

    SHA512

    35d56d371d63a04f6c2184e7355a37e23aa79cf1def5e2cf2cc43822f9574de6ba979b17347d8b2f41e635515a3c17c9c754da6aae27777faab7ad9c8f95fa51

    Download Submit

  • memory/364-56-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

    Download