Overview

overview

8

Static

static

fe0094b43c...f8.exe

windows7-x64

8

fe0094b43c...f8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8.exe

  • Size

    43KB

  • MD5

    4844ce6123f316de09ad8d30c8aaabc2

  • SHA1

    c11fe89eeb001e9b33296144e45fff7d597a8dae

  • SHA256

    fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8

  • SHA512

    15f5d394884eaf37532226b7fd0e7608064f4aeeb0bc995295e62b4b508e9b17ec00a4a80cd30dd2a3da5c687ba7742616045b6ce3582ac61ff0fb8f360273a6

  • SSDEEP

    768:qspvryXgi4VhQelswKhGSnmAH0KBh/DokmAAK1K2M67yfirwuS:tpvryX54r67skmAAK1K8Miy

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8.exe
    "C:\Users\Admin\AppData\Local\Temp\fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FE0094~1.EXE > nul
      2⤵
      • Deletes itself
      PID:1140
  • C:\Windows\caycwq.exe
    C:\Windows\caycwq.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    PID:1996

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\caycwq.exe
    Filesize

    43KB

    MD5

    4844ce6123f316de09ad8d30c8aaabc2

    SHA1

    c11fe89eeb001e9b33296144e45fff7d597a8dae

    SHA256

    fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8

    SHA512

    15f5d394884eaf37532226b7fd0e7608064f4aeeb0bc995295e62b4b508e9b17ec00a4a80cd30dd2a3da5c687ba7742616045b6ce3582ac61ff0fb8f360273a6

    Download Submit

  • C:\Windows\caycwq.exe
    Filesize

    43KB

    MD5

    4844ce6123f316de09ad8d30c8aaabc2

    SHA1

    c11fe89eeb001e9b33296144e45fff7d597a8dae

    SHA256

    fe0094b43cf5f527b520fd387b7bb7532be6adb2cf773fd5615c0a41190081f8

    SHA512

    15f5d394884eaf37532226b7fd0e7608064f4aeeb0bc995295e62b4b508e9b17ec00a4a80cd30dd2a3da5c687ba7742616045b6ce3582ac61ff0fb8f360273a6

    Download Submit

  • \Windows\SysWOW64\hra33.dll
    Filesize

    52KB

    MD5

    27f04eb7bf8773f8a0af798ba46c88f8

    SHA1

    3681c8a04416fd57495999f7d3153a9f02d0f136

    SHA256

    851657bcbd289c3b4b508589a8084c0c46698dc841a3c91efa2ffc091ccd98d1

    SHA512

    0bed96d86073fab26d3f62f72f3fc97aa1a5ae3433aa24094ae991de391e4086d477d168e1af11a7f0939a884bb55d979642cc3aee0bba63425b41e303def44b

    Download Submit

  • memory/1140-57-0x0000000000000000-mapping.dmp

    Download

  • memory/2012-54-0x0000000076391000-0x0000000076393000-memory.dmp

    Filesize

    8KB

    Download