Overview

overview

10

Static

static

f4a5108107...41.exe

windows7-x64

10

f4a5108107...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 20:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f4a51081077213456429ab4a1fd2efd5912141d583cfa83e032eb4fb123f7941.exe

  • Size

    172KB

  • MD5

    05b18d00679326498ccb879a67d5564c

  • SHA1

    d16892ce71e84f56c3867ded3df9494ecfee2b8a

  • SHA256

    f4a51081077213456429ab4a1fd2efd5912141d583cfa83e032eb4fb123f7941

  • SHA512

    784b5f725e724fca0146f49e53fbf47fd6dc93002d56867a48ee45912f0dd3a4cf970fc06ebab2a25aae5abf0d1b7c3a53990c22ca367e328f25522b53752679

  • SSDEEP

    3072:pZhDLsNgqeXF3mnDMqkVfJX936oDoZqWrvKeG8o:hDLsNgLV3mnDMqkpJX93GZqWry/

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4a51081077213456429ab4a1fd2efd5912141d583cfa83e032eb4fb123f7941.exe
    "C:\Users\Admin\AppData\Local\Temp\f4a51081077213456429ab4a1fd2efd5912141d583cfa83e032eb4fb123f7941.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\hezac.exe
      "C:\Users\Admin\hezac.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1424

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\hezac.exe
          Filesize

          172KB

          MD5

          06721d76268bd156b248a21f4c693f5c

          SHA1

          7aa5e798550753c4f4d04719e26270e30e32c134

          SHA256

          9cf4a6bc8d5554278bfb608b13ed9362135c95a21b013c9efc0edea53547ecbb

          SHA512

          28cef24ad5edb5da630493b5e6de5328ac574b19c855bac34f71fc61a0ab3d2ef89552bc263741d4895bdb143c64f0197792d51ac244a6b0fa0667e054aab48a

          Download Submit

        • C:\Users\Admin\hezac.exe
          Filesize

          172KB

          MD5

          06721d76268bd156b248a21f4c693f5c

          SHA1

          7aa5e798550753c4f4d04719e26270e30e32c134

          SHA256

          9cf4a6bc8d5554278bfb608b13ed9362135c95a21b013c9efc0edea53547ecbb

          SHA512

          28cef24ad5edb5da630493b5e6de5328ac574b19c855bac34f71fc61a0ab3d2ef89552bc263741d4895bdb143c64f0197792d51ac244a6b0fa0667e054aab48a

          Download Submit