Overview

overview

8

Static

static

5eeeff3503...4a.exe

windows7-x64

8

5eeeff3503...4a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe

  • Size

    327KB

  • MD5

    af5802e08b93be5ba00e7f52e7012807

  • SHA1

    b493160c357482e4dbec84e750e1d21d9fdafc15

  • SHA256

    5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a

  • SHA512

    ceb82c4cb2e24911ae0e5ee3696761b1b7f5e40291da1c33f6beb6e412bbf17ebd80cfff048867fe2a08e1debbb637c2a5501d53a6aef1cd8401801ee82d8b4e

  • SSDEEP

    6144:FJCvfb//eyEFyOStCMWQUt67Q4yP0hTTyN/+CrU+O+LqO:FJKb//evFyOStoy7yP0VbCA+qO

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
        "C:\Users\Admin\AppData\Local\Temp\5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Users\Admin\AppData\Roaming\Ogdoo\zeuqi.exe
          "C:\Users\Admin\AppData\Roaming\Ogdoo\zeuqi.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            4⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:952
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc4e3fb20.bat"
          3⤵
          • Deletes itself
          PID:1640
    • C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
      1⤵
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpc4e3fb20.bat
      Filesize

      307B

      MD5

      11635e6557c983cd1ca6ba04d43e4800

      SHA1

      8a7ff72dd7cf5b7764b31cc2fedeb9b20e321de9

      SHA256

      4aae9d441aad9aa846c4684d4481bd4daf6cc6fb16669710ffaeb45a4baa8cb6

      SHA512

      8ef195d7a992a7449aa80df15cf56a0b257dbd0c7d55f7f25c75589eca251878f7ae30445656de10b1b42a0778c6d3392122f6594a0c8298e1e47bdfd9738086

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Ogdoo\zeuqi.exe
      Filesize

      327KB

      MD5

      01811c88e7a6cd3311d408d5cdfe0954

      SHA1

      528b858ac6467c434d8960763aff7cbc23993ae0

      SHA256

      ef563b72ad2e9e9aec171cabc4feefb6b5fa0fe65803e978bd2d1d19be00ae3f

      SHA512

      71fcb90db7c982c00921d972a65b2621e2b5e07937f1028421b68d1b292156b95844b2f246b163fc9533bc84283f6cf539869615249886eb3fa41ef27acca499

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Ogdoo\zeuqi.exe
      Filesize

      327KB

      MD5

      01811c88e7a6cd3311d408d5cdfe0954

      SHA1

      528b858ac6467c434d8960763aff7cbc23993ae0

      SHA256

      ef563b72ad2e9e9aec171cabc4feefb6b5fa0fe65803e978bd2d1d19be00ae3f

      SHA512

      71fcb90db7c982c00921d972a65b2621e2b5e07937f1028421b68d1b292156b95844b2f246b163fc9533bc84283f6cf539869615249886eb3fa41ef27acca499

      Download Submit

    • \Users\Admin\AppData\Roaming\Ogdoo\zeuqi.exe
      Filesize

      327KB

      MD5

      01811c88e7a6cd3311d408d5cdfe0954

      SHA1

      528b858ac6467c434d8960763aff7cbc23993ae0

      SHA256

      ef563b72ad2e9e9aec171cabc4feefb6b5fa0fe65803e978bd2d1d19be00ae3f

      SHA512

      71fcb90db7c982c00921d972a65b2621e2b5e07937f1028421b68d1b292156b95844b2f246b163fc9533bc84283f6cf539869615249886eb3fa41ef27acca499

      Download Submit

    • memory/332-65-0x0000000002520000-0x00000000025B5000-memory.dmp

      Filesize

      596KB

      Download

    • memory/332-59-0x0000000000000000-mapping.dmp

      Download

    • memory/332-62-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/952-77-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-76-0x0000000074C81000-0x0000000074C83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/952-68-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-69-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-72-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-71-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-70-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-66-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-73-0x0000000000080000-0x00000000000AC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/952-74-0x0000000000000000-mapping.dmp

      Download

    • memory/1640-106-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-103-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-116-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-114-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-113-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-110-0x00000000001DF44C-mapping.dmp

      Download

    • memory/1640-109-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-108-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-105-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1640-107-0x00000000001C0000-0x00000000001EC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1872-95-0x00000000023D0000-0x00000000023E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1872-87-0x000007FEF6CD1000-0x000007FEF6CD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1872-89-0x0000000000360000-0x0000000000370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1872-86-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2012-84-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2012-88-0x0000000002C00000-0x0000000002C56000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2012-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2012-57-0x0000000001F80000-0x0000000002015000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2012-111-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2012-85-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2012-82-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2012-83-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2012-55-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2012-80-0x0000000002C00000-0x0000000002C2C000-memory.dmp

      Filesize

      176KB

      Download