Overview

overview

10

Static

static

c1aaf2dd35...f6.exe

windows7-x64

10

c1aaf2dd35...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe

  • Size

    152KB

  • MD5

    42fbccf64541cffa18ba28cd878d3250

  • SHA1

    ae00dd2eef075e74327a1136a35becfeb72d2675

  • SHA256

    c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6

  • SHA512

    5778b96b428fc163458d24130d6ede6fbce2263419596b4dcbad1d5d76a7d40078354784be3939aca28e0c58a76a490629c4dec943dc63c4e1f65dad1e87966d

  • SSDEEP

    3072:T3jIpK9xKA9w2p4QZisLaazNiIIkyyqN4oQZiEHPgcF:T3cpKxY+1isuazgfklcWVP3

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
    "C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Users\Admin\jiaab.exe
      "C:\Users\Admin\jiaab.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jiaab.exe
    Filesize

    152KB

    MD5

    1e1e844f56175a2d38b83542d87b161b

    SHA1

    01e82d16ce5f61ae6f0257434ddeb5443605bfdc

    SHA256

    b82151768bec6bd8ec70805400233ca18ea8e2f3e999c3a0f5826e6b42f08cbd

    SHA512

    9077919f7789c3954b987441a288ef822744cf9932a33e505e6981ce2393a938b85cf21bdcaf6316884354b891a3f9b7c3b04cb3a9774a1dc2eab44bd619dd6c

    Download Submit
  • C:\Users\Admin\jiaab.exe
    Filesize

    152KB

    MD5

    1e1e844f56175a2d38b83542d87b161b

    SHA1

    01e82d16ce5f61ae6f0257434ddeb5443605bfdc

    SHA256

    b82151768bec6bd8ec70805400233ca18ea8e2f3e999c3a0f5826e6b42f08cbd

    SHA512

    9077919f7789c3954b987441a288ef822744cf9932a33e505e6981ce2393a938b85cf21bdcaf6316884354b891a3f9b7c3b04cb3a9774a1dc2eab44bd619dd6c

    Download Submit
  • memory/724-134-0x0000000000000000-mapping.dmp
    Download