Overview

overview

10

Static

static

ba444246f0...6e.exe

windows7-x64

10

ba444246f0...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba444246f078eefbfc7946cfa7ca5b136eeee49c13b0b5bc162b79cfaf68606e.exe

  • Size

    192KB

  • MD5

    09f1433725d1e2ce3d1259b08e042234

  • SHA1

    3807d61ddf4dbb1a92a5e00d238bac1ccceced7d

  • SHA256

    ba444246f078eefbfc7946cfa7ca5b136eeee49c13b0b5bc162b79cfaf68606e

  • SHA512

    f37cb33249e55abe0920cb04b82b8d8a9405976296162e1d84c13a6c35f3e164ddcf31d1b985affbcfb17198481ea4c5b1198b1aae5fd5039a4d006fd9fe435d

  • SSDEEP

    1536:VfHABQruHlTZPRi4iti93MH9iV6MRfWzzp3BHReQbIYL2XoPLJB514R9/57rqiWD:x2QraTlRi4itiSHXzp3uYTPLJOTWD

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba444246f078eefbfc7946cfa7ca5b136eeee49c13b0b5bc162b79cfaf68606e.exe
    "C:\Users\Admin\AppData\Local\Temp\ba444246f078eefbfc7946cfa7ca5b136eeee49c13b0b5bc162b79cfaf68606e.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\jauwio.exe
      "C:\Users\Admin\jauwio.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jauwio.exe
    Filesize

    192KB

    MD5

    0c1d8bf510a734da8ccb904899173130

    SHA1

    ecc29eb4df5f26004d0f91e10e6542996f41dd2b

    SHA256

    4f3a0e142969af90beb67212f4f0902111de6030d51e3dcdedaffb446f024ddf

    SHA512

    1e4d5fb388db4f1506210ad1583ed011fa78cc9123d92e8f0abb25c8a88725378f00472a2c49e50cc5a61064f5ca3aba231f2ed4e201beb1e1a3f981eac64f0e

    Download Submit

  • C:\Users\Admin\jauwio.exe
    Filesize

    192KB

    MD5

    0c1d8bf510a734da8ccb904899173130

    SHA1

    ecc29eb4df5f26004d0f91e10e6542996f41dd2b

    SHA256

    4f3a0e142969af90beb67212f4f0902111de6030d51e3dcdedaffb446f024ddf

    SHA512

    1e4d5fb388db4f1506210ad1583ed011fa78cc9123d92e8f0abb25c8a88725378f00472a2c49e50cc5a61064f5ca3aba231f2ed4e201beb1e1a3f981eac64f0e

    Download Submit

  • memory/4804-134-0x0000000000000000-mapping.dmp

    Download