Overview

overview

10

Static

static

189ff646a6...e6.exe

windows7-x64

10

189ff646a6...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    189ff646a6e813be90747f0ecfed0bb9eaebcfee07f77bb89a0e44163b239de6.exe

  • Size

    184KB

  • MD5

    0b333cd71539e75b2ee901b61e417e9a

  • SHA1

    dce1b9bc146ef5019d04c41bd90fd49f85a04d40

  • SHA256

    189ff646a6e813be90747f0ecfed0bb9eaebcfee07f77bb89a0e44163b239de6

  • SHA512

    33719533eff7fb69dee2e1be3ad381d6a8c69c190c4b84537fcb335a810003bfba4309269cee6ee64c35f10b496ac2f3a31f66ee1c4a1c8cbf021d35138ba8fd

  • SSDEEP

    3072:t0FEOpfEQVdmpAxTIfJyX33RPvSk8g0gV093:t0P9ZdcARIfA3lvStg+l

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\189ff646a6e813be90747f0ecfed0bb9eaebcfee07f77bb89a0e44163b239de6.exe
    "C:\Users\Admin\AppData\Local\Temp\189ff646a6e813be90747f0ecfed0bb9eaebcfee07f77bb89a0e44163b239de6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Users\Admin\cauiri.exe
      "C:\Users\Admin\cauiri.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cauiri.exe
    Filesize

    184KB

    MD5

    6961c4be0e1caf69625f5456d9a8bd8a

    SHA1

    db22e47bee0f1bad579c97099e6484862b55b854

    SHA256

    05d65f47ec3c3484856ba128fe189dcb6ae03e2ed45e4774df59d954dbd1161a

    SHA512

    79e58886c961e040c200511995549e6cfe64fc147ed0fef0c04ec2e377a97cca82b11af84d796248293151bba22a0fcf351085cabbb035185812539f6d969c96

    Download Submit

  • C:\Users\Admin\cauiri.exe
    Filesize

    184KB

    MD5

    6961c4be0e1caf69625f5456d9a8bd8a

    SHA1

    db22e47bee0f1bad579c97099e6484862b55b854

    SHA256

    05d65f47ec3c3484856ba128fe189dcb6ae03e2ed45e4774df59d954dbd1161a

    SHA512

    79e58886c961e040c200511995549e6cfe64fc147ed0fef0c04ec2e377a97cca82b11af84d796248293151bba22a0fcf351085cabbb035185812539f6d969c96

    Download Submit

  • \Users\Admin\cauiri.exe
    Filesize

    184KB

    MD5

    6961c4be0e1caf69625f5456d9a8bd8a

    SHA1

    db22e47bee0f1bad579c97099e6484862b55b854

    SHA256

    05d65f47ec3c3484856ba128fe189dcb6ae03e2ed45e4774df59d954dbd1161a

    SHA512

    79e58886c961e040c200511995549e6cfe64fc147ed0fef0c04ec2e377a97cca82b11af84d796248293151bba22a0fcf351085cabbb035185812539f6d969c96

    Download Submit

  • \Users\Admin\cauiri.exe
    Filesize

    184KB

    MD5

    6961c4be0e1caf69625f5456d9a8bd8a

    SHA1

    db22e47bee0f1bad579c97099e6484862b55b854

    SHA256

    05d65f47ec3c3484856ba128fe189dcb6ae03e2ed45e4774df59d954dbd1161a

    SHA512

    79e58886c961e040c200511995549e6cfe64fc147ed0fef0c04ec2e377a97cca82b11af84d796248293151bba22a0fcf351085cabbb035185812539f6d969c96

    Download Submit

  • memory/1896-56-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

    Download