Overview

overview

10

Static

static

9cf13281b5...aa.exe

windows7-x64

10

9cf13281b5...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cf13281b541e2defe56505b69f8df2945c85876a438649e44bc7a98929d68aa.exe

  • Size

    88KB

  • MD5

    5e690fa19585e0e553366311ee0a16c0

  • SHA1

    08b53f2a499dc15cba5d6c4d055d3c780ef52324

  • SHA256

    9cf13281b541e2defe56505b69f8df2945c85876a438649e44bc7a98929d68aa

  • SHA512

    ba6168f3a4c85770952e023b3fff1e7b3dc1d103a5ef43b74f6fb77b59f8aa3c0c36fa9a02ad36a1eb9be80dfcabec9ccc344d69ad9e6f6ac17bb63367fd1fcb

  • SSDEEP

    1536:6eUDdZnW1pLDcw3Hr+PaGme7pPXLq0zTrkyP:JUDrnl1XTzToyP

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cf13281b541e2defe56505b69f8df2945c85876a438649e44bc7a98929d68aa.exe
    "C:\Users\Admin\AppData\Local\Temp\9cf13281b541e2defe56505b69f8df2945c85876a438649e44bc7a98929d68aa.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\whtoak.exe
      "C:\Users\Admin\whtoak.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\whtoak.exe
    Filesize

    88KB

    MD5

    aaac2d55729e0685983f0e069fb8dbad

    SHA1

    20869370c0e19ae315224b6f1270ca92460fba0f

    SHA256

    3e07080c172df89bc7927346cd3dd1a90442ab01df714769f2de40145a02cff1

    SHA512

    d819f4aaaa95887a13006dc8d7f153fd8517ac467248473b5c016b3cf67ee9acb199412a09ca7a7adfa0b337f10acdee7b38cb0beea586844a394f8a435a2867

    Download Submit

  • C:\Users\Admin\whtoak.exe
    Filesize

    88KB

    MD5

    aaac2d55729e0685983f0e069fb8dbad

    SHA1

    20869370c0e19ae315224b6f1270ca92460fba0f

    SHA256

    3e07080c172df89bc7927346cd3dd1a90442ab01df714769f2de40145a02cff1

    SHA512

    d819f4aaaa95887a13006dc8d7f153fd8517ac467248473b5c016b3cf67ee9acb199412a09ca7a7adfa0b337f10acdee7b38cb0beea586844a394f8a435a2867

    Download Submit

  • memory/2708-134-0x0000000000000000-mapping.dmp

    Download