Overview

overview

10

Static

static

e8a4f26cc6...6d.exe

windows7-x64

10

e8a4f26cc6...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 20:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a4f26cc6b144e5ed385c27c118f971fdc1dad89a4cf1f68c2cd2c472bcc06d.exe

  • Size

    224KB

  • MD5

    a154b78eb305581ada2a7f5c546a9180

  • SHA1

    3c87e18d3ff7c4c38edcb397f5c1833eef0acecd

  • SHA256

    e8a4f26cc6b144e5ed385c27c118f971fdc1dad89a4cf1f68c2cd2c472bcc06d

  • SHA512

    85738fea5f75373d02b5e9949843f29ebee02bcd182658bfa593216f68591e2b9e7caee37122626718ff4d483e2c350d08a5640f529c50ed7636c409c5a1a849

  • SSDEEP

    3072:sgk22i5UYJVFV5eDQHsuvNA05Vqtto24VmcZMUuXi46qndrAxIbY:9V3JrLeDQHr+uV0to24VmlUuSvqd

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a4f26cc6b144e5ed385c27c118f971fdc1dad89a4cf1f68c2cd2c472bcc06d.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a4f26cc6b144e5ed385c27c118f971fdc1dad89a4cf1f68c2cd2c472bcc06d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\kaebov.exe
      "C:\Users\Admin\kaebov.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kaebov.exe
    Filesize

    224KB

    MD5

    2055e7751fc488f5065f2ad80dca08ac

    SHA1

    5d2035da5472cdab85445d9a4dd2a7f9896c69e3

    SHA256

    0ee6f7f8ef4e5c93710ed3765ace3c5823953198116b8796058032ad9fef6a36

    SHA512

    c0256b701c33fac5973b69c556761670111cea5a2dc4d9ed355cac35bdb2bfbdacd3ebdac8c85a3ddbcdf9b96d3f57faea09921a2d2cac1dc596495faa482f09

    Download Submit

  • C:\Users\Admin\kaebov.exe
    Filesize

    224KB

    MD5

    2055e7751fc488f5065f2ad80dca08ac

    SHA1

    5d2035da5472cdab85445d9a4dd2a7f9896c69e3

    SHA256

    0ee6f7f8ef4e5c93710ed3765ace3c5823953198116b8796058032ad9fef6a36

    SHA512

    c0256b701c33fac5973b69c556761670111cea5a2dc4d9ed355cac35bdb2bfbdacd3ebdac8c85a3ddbcdf9b96d3f57faea09921a2d2cac1dc596495faa482f09

    Download Submit

  • memory/2064-132-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2064-141-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3796-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3796-140-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3796-142-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download