Overview

overview

10

Static

static

d8b3aa6948...0a.exe

windows7-x64

10

d8b3aa6948...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8b3aa6948855aabae8930a54a81519cc414aac5626ea6d8fac92cd08fc6e90a.exe

  • Size

    244KB

  • MD5

    92218578e4073711891d61523b515950

  • SHA1

    59318d2d1e2154eb823b1193678812a3e10a5ec8

  • SHA256

    d8b3aa6948855aabae8930a54a81519cc414aac5626ea6d8fac92cd08fc6e90a

  • SHA512

    5697aff7551e020515f5640d9d381aef25bc4366b39e7986d9184c9c96d37cb61eb24c7b4deac64197caad8937d80af84b96a830d14fa1e5b51a9dfc8ca9938c

  • SSDEEP

    6144:0Rww39SfGzlTphJgW9mnrQLMjTsZzILK/fObT/bGiuF0a59ONKLUWrIhO1a8p5x+:Rw39SfGzlTPJgWUnjjTsZzILK/fObT/X

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8b3aa6948855aabae8930a54a81519cc414aac5626ea6d8fac92cd08fc6e90a.exe
    "C:\Users\Admin\AppData\Local\Temp\d8b3aa6948855aabae8930a54a81519cc414aac5626ea6d8fac92cd08fc6e90a.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\zuuoteb.exe
      "C:\Users\Admin\zuuoteb.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zuuoteb.exe
    Filesize

    244KB

    MD5

    503ac75c2f1d9ac5c4a1699ceb3d85f8

    SHA1

    3a5bf61d5f62c238bd6ff36eff6923a4c7300d47

    SHA256

    0e381d0510f77cf4438441446882d0c1e59d5a6906fad209e5d5ed4e70e2d3c5

    SHA512

    efcff349f89c5582e06789dc62b558c53f7440f8f4761a66e715b13b3ea5981a77133b591404a8487df17de8e9af6879b9edf42fcbe011f088386a70054497ad

    Download Submit

  • C:\Users\Admin\zuuoteb.exe
    Filesize

    244KB

    MD5

    503ac75c2f1d9ac5c4a1699ceb3d85f8

    SHA1

    3a5bf61d5f62c238bd6ff36eff6923a4c7300d47

    SHA256

    0e381d0510f77cf4438441446882d0c1e59d5a6906fad209e5d5ed4e70e2d3c5

    SHA512

    efcff349f89c5582e06789dc62b558c53f7440f8f4761a66e715b13b3ea5981a77133b591404a8487df17de8e9af6879b9edf42fcbe011f088386a70054497ad

    Download Submit