Overview

overview

10

Static

static

888e9420a0...5a.exe

windows7-x64

10

888e9420a0...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    888e9420a0bcd87f21b94633045ff2ca1887269d377082cd9b2527ddc255785a.exe

  • Size

    216KB

  • MD5

    827ab36318a92aa7b17c056550a59951

  • SHA1

    e2a8c80d75954b556ba2c872d4279cdfe67f357c

  • SHA256

    888e9420a0bcd87f21b94633045ff2ca1887269d377082cd9b2527ddc255785a

  • SHA512

    14f022ed45b6d94557cdda9f410ec161ceb78274db0fee369526a59c0e4274b5924dee9d98b62bbc00c871c953edc6bb6dceecb7118a1c2478c5cf2350cd248e

  • SSDEEP

    6144:32SIfrt3+TetonBi3QxRy4g09ICSnqf9uSUgkxtpsaPjK/bEoK828fwAoEn+MKy:32Nrt3+TetonBi3QxRwfnqf9uSUgkxtS

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\888e9420a0bcd87f21b94633045ff2ca1887269d377082cd9b2527ddc255785a.exe
    "C:\Users\Admin\AppData\Local\Temp\888e9420a0bcd87f21b94633045ff2ca1887269d377082cd9b2527ddc255785a.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Users\Admin\yekiq.exe
      "C:\Users\Admin\yekiq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5116

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\yekiq.exe
          Filesize

          216KB

          MD5

          7a7f98f6c3ef333002580e0925557209

          SHA1

          c748ee9db6ec5409bb1f374c6b7bbcb0c3ce43ab

          SHA256

          85619e6b29b431b385afc9aa3df45240280e315b623455b7bbba03a130af026e

          SHA512

          b34fb560cd6c735c22ec1773e2583dc6ab782246ee3aa3f6eb5d26c93adfce01cced7bcd01897300767fd84864fb8d78ed3b73dd5321f327a25645d8184a35bc

          Download Submit

        • C:\Users\Admin\yekiq.exe
          Filesize

          216KB

          MD5

          7a7f98f6c3ef333002580e0925557209

          SHA1

          c748ee9db6ec5409bb1f374c6b7bbcb0c3ce43ab

          SHA256

          85619e6b29b431b385afc9aa3df45240280e315b623455b7bbba03a130af026e

          SHA512

          b34fb560cd6c735c22ec1773e2583dc6ab782246ee3aa3f6eb5d26c93adfce01cced7bcd01897300767fd84864fb8d78ed3b73dd5321f327a25645d8184a35bc

          Download Submit