Overview

overview

10

Static

static

7e1196c898...cd.exe

windows7-x64

10

7e1196c898...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e1196c89816dec3c0c862b471aba56884689059245b86efb8de0e4e088012cd.exe

  • Size

    120KB

  • MD5

    0f716fc354a988d3a8e7a5501820626a

  • SHA1

    f087086d0e6bbd931efe2e28378a4c72b9b63f96

  • SHA256

    7e1196c89816dec3c0c862b471aba56884689059245b86efb8de0e4e088012cd

  • SHA512

    888711908bbb2fbaf3e3bef1217859bf20ed3c6473d04eb023c793a6743815971584bdec8fe1a8335c2e7af4f6c47e1e61e230bb62f7c7953c547c159a7cde7f

  • SSDEEP

    3072:kqLiM4190i9CUXBmnFEB8C2h43wT5ZjHwM:kh0sCEBCh07

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e1196c89816dec3c0c862b471aba56884689059245b86efb8de0e4e088012cd.exe
    "C:\Users\Admin\AppData\Local\Temp\7e1196c89816dec3c0c862b471aba56884689059245b86efb8de0e4e088012cd.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\meima.exe
      "C:\Users\Admin\meima.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2460

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\meima.exe
    Filesize

    120KB

    MD5

    2a7fa13ce20d8f724ba675681194c4e5

    SHA1

    57bf4a2f6ad1f23ad9551ded918aed9eb1288bb0

    SHA256

    05187531620231bdde63b4420a573457ac390d3be86a1aefc8e2fd5c36669ff1

    SHA512

    28140d70fd52fed847a9c5a6d8cfddea35194821d74b233e2086b53ac070b87b0c06d3d2c95a0e621293d0e10b4cad401ffe0e6f98b8c43eef156f7cab08d419

    Download Submit

  • C:\Users\Admin\meima.exe
    Filesize

    120KB

    MD5

    2a7fa13ce20d8f724ba675681194c4e5

    SHA1

    57bf4a2f6ad1f23ad9551ded918aed9eb1288bb0

    SHA256

    05187531620231bdde63b4420a573457ac390d3be86a1aefc8e2fd5c36669ff1

    SHA512

    28140d70fd52fed847a9c5a6d8cfddea35194821d74b233e2086b53ac070b87b0c06d3d2c95a0e621293d0e10b4cad401ffe0e6f98b8c43eef156f7cab08d419

    Download Submit

  • memory/2460-134-0x0000000000000000-mapping.dmp

    Download