Overview

overview

10

Static

static

f0ab94fb70...42.exe

windows7-x64

10

f0ab94fb70...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142.exe

  • Size

    220KB

  • MD5

    03e99d0c55f82a8099fcc463ed0b4d20

  • SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

  • SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

  • SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

  • SSDEEP

    3072:F125rPIa3gisjfGKL+4Rq9GBXPNTClp5GQGvrdSuqTvnKSk3SwTDaWBkNNK:GAKsjfiGBglp5GQGvrdSuqTvnKSkCGk

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142.exe
      71
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Loads dropped DLL
      • Adds Run key to start application
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\ppzuow.exe
        "C:\Users\Admin\ppzuow.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\ppzuow.exe
          71
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Drops autorun.inf file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ppzuow.exe
    Filesize

    220KB

    MD5

    03e99d0c55f82a8099fcc463ed0b4d20

    SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

    SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

    SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

    Download Submit

  • C:\Users\Admin\ppzuow.exe
    Filesize

    220KB

    MD5

    03e99d0c55f82a8099fcc463ed0b4d20

    SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

    SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

    SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

    Download Submit

  • C:\Users\Admin\ppzuow.exe
    Filesize

    220KB

    MD5

    03e99d0c55f82a8099fcc463ed0b4d20

    SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

    SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

    SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

    Download Submit

  • \Users\Admin\ppzuow.exe
    Filesize

    220KB

    MD5

    03e99d0c55f82a8099fcc463ed0b4d20

    SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

    SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

    SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

    Download Submit

  • \Users\Admin\ppzuow.exe
    Filesize

    220KB

    MD5

    03e99d0c55f82a8099fcc463ed0b4d20

    SHA1

    9b4d6dea9cfb2da85e10d09b5bbf855a503284ef

    SHA256

    f0ab94fb7002e5a4a79cbd2edf31520040fb049348e0f03b7ba80566734ca142

    SHA512

    ea27d3614a4b276897d9bfdcc7115792a927f9bea8c09365d57e85a003010048aedec938f04dc837569a3e8f23b7384b12ce76bba578b9ea44d285940f5d1806

    Download Submit

  • memory/864-62-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/864-56-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/960-64-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/960-57-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/960-65-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/960-60-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/960-73-0x00000000029F0000-0x0000000002A39000-memory.dmp

    Filesize

    292KB

    Download

  • memory/960-74-0x00000000029F0000-0x0000000002A39000-memory.dmp

    Filesize

    292KB

    Download

  • memory/960-86-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1232-84-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1232-87-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1380-80-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1380-75-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download