Overview

overview

10

Static

static

9ea307bbec...94.exe

windows7-x64

10

9ea307bbec...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 15:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9ea307bbec060c25e80edcf94656775ee7d86e28d3cf4660110aef5efb31ab94.exe

  • Size

    140KB

  • MD5

    07509c7d2211974823aa612437250c00

  • SHA1

    5f878bccbc843d7e09f882af3211d72805d67f37

  • SHA256

    9ea307bbec060c25e80edcf94656775ee7d86e28d3cf4660110aef5efb31ab94

  • SHA512

    531638def19c841da61b4b5aec3c12f70a92c97b25898d5af886506827e0c240ed8816fc5dd737e49fe314b13390467b4f4e07922a6f3f6c68cbc6a11b87005d

  • SSDEEP

    3072:QBgclSAY5uXq0cu3XMO4nZLJY0PoeU60ohKdlLWO3:QBoAY5uXq0cu3XMO4nZLJPot60ohKdlL

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ea307bbec060c25e80edcf94656775ee7d86e28d3cf4660110aef5efb31ab94.exe
    "C:\Users\Admin\AppData\Local\Temp\9ea307bbec060c25e80edcf94656775ee7d86e28d3cf4660110aef5efb31ab94.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\jrfouz.exe
      "C:\Users\Admin\jrfouz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1452

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\jrfouz.exe
          Filesize

          140KB

          MD5

          736cad4aff34f2eee1e49f41b4153452

          SHA1

          36f751e4633e4598363de292ba010518dda927b4

          SHA256

          08ed2c2ba4d3eeadebbb87d74206a4d01763da5cb1dc99193a0c9ba118575e42

          SHA512

          be09b320ba26f74ce959b645debd064f5d2814ccfc9b433d51bca5df4565fe2948cde7ead187ddcb029e140060a7410e474aca281243da6a53cf5c04ea770276

          Download Submit

        • C:\Users\Admin\jrfouz.exe
          Filesize

          140KB

          MD5

          736cad4aff34f2eee1e49f41b4153452

          SHA1

          36f751e4633e4598363de292ba010518dda927b4

          SHA256

          08ed2c2ba4d3eeadebbb87d74206a4d01763da5cb1dc99193a0c9ba118575e42

          SHA512

          be09b320ba26f74ce959b645debd064f5d2814ccfc9b433d51bca5df4565fe2948cde7ead187ddcb029e140060a7410e474aca281243da6a53cf5c04ea770276

          Download Submit

        • \Users\Admin\jrfouz.exe
          Filesize

          140KB

          MD5

          736cad4aff34f2eee1e49f41b4153452

          SHA1

          36f751e4633e4598363de292ba010518dda927b4

          SHA256

          08ed2c2ba4d3eeadebbb87d74206a4d01763da5cb1dc99193a0c9ba118575e42

          SHA512

          be09b320ba26f74ce959b645debd064f5d2814ccfc9b433d51bca5df4565fe2948cde7ead187ddcb029e140060a7410e474aca281243da6a53cf5c04ea770276

          Download Submit

        • \Users\Admin\jrfouz.exe
          Filesize

          140KB

          MD5

          736cad4aff34f2eee1e49f41b4153452

          SHA1

          36f751e4633e4598363de292ba010518dda927b4

          SHA256

          08ed2c2ba4d3eeadebbb87d74206a4d01763da5cb1dc99193a0c9ba118575e42

          SHA512

          be09b320ba26f74ce959b645debd064f5d2814ccfc9b433d51bca5df4565fe2948cde7ead187ddcb029e140060a7410e474aca281243da6a53cf5c04ea770276

          Download Submit

        • memory/872-57-0x0000000076181000-0x0000000076183000-memory.dmp

          Filesize

          8KB

          Download

        • memory/872-56-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/872-66-0x0000000002D50000-0x0000000002D73000-memory.dmp

          Filesize

          140KB

          Download

        • memory/872-65-0x0000000002D50000-0x0000000002D73000-memory.dmp

          Filesize

          140KB

          Download

        • memory/872-69-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/872-70-0x0000000002D50000-0x0000000002D73000-memory.dmp

          Filesize

          140KB

          Download

        • memory/1452-67-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download

        • memory/1452-71-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download