Overview

overview

10

Static

static

8053aecfde...5f.exe

windows7-x64

10

8053aecfde...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8053aecfde7a31c5abb033c856720f1fdfcfef12b4f8512a60ca66b6980ea45f.exe

  • Size

    305KB

  • MD5

    423918282ae8e7ee8b6c0bcace1815a0

  • SHA1

    a13ec1f260d261e99fe26b16610a45c2b52d1f9e

  • SHA256

    8053aecfde7a31c5abb033c856720f1fdfcfef12b4f8512a60ca66b6980ea45f

  • SHA512

    85a083ed6ca4a1ca706c525a2500847771164e5086bac46eb4e8241eac4c9f1d4c774490be26618129a924b3e99dbb1e1459c0c6236152ed4d336274ec7b9014

  • SSDEEP

    3072:pa2YiHOPiu8aQe3TqDUCiGjHJDbRv9y+qwa+rZf/M2BXHGr/n:RYiHOf3TqD+0HBb5ta+rZ3MaWT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8053aecfde7a31c5abb033c856720f1fdfcfef12b4f8512a60ca66b6980ea45f.exe
    "C:\Users\Admin\AppData\Local\Temp\8053aecfde7a31c5abb033c856720f1fdfcfef12b4f8512a60ca66b6980ea45f.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\voetaaj.exe
      "C:\Users\Admin\voetaaj.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\voetaaj.exe
    Filesize

    305KB

    MD5

    482beb610039dc6b68660810882c15d0

    SHA1

    4d18c6bfd7de66f7d0eef4e5b02025957c0db850

    SHA256

    5e694fc84f154415d81e199a532521b21f66f22fc800fff1414228a5cad6dbee

    SHA512

    0683d02301b31853cb328b82fdd71366a22b2c023de19ac55aaa7044dcb67300263f8042cd770d61b09041df382bae71d8c6e4394c9dabee2229a4dd2c6646b3

    Download Submit

  • C:\Users\Admin\voetaaj.exe
    Filesize

    305KB

    MD5

    482beb610039dc6b68660810882c15d0

    SHA1

    4d18c6bfd7de66f7d0eef4e5b02025957c0db850

    SHA256

    5e694fc84f154415d81e199a532521b21f66f22fc800fff1414228a5cad6dbee

    SHA512

    0683d02301b31853cb328b82fdd71366a22b2c023de19ac55aaa7044dcb67300263f8042cd770d61b09041df382bae71d8c6e4394c9dabee2229a4dd2c6646b3

    Download Submit

  • memory/2880-132-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/2880-141-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/4456-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4456-140-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/4456-142-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download