Overview

overview

10

Static

static

bf116b7685...15.exe

windows7-x64

10

bf116b7685...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf116b7685a6cb355df26acab15b47f62789a43cbce8ecfcc5f1ccf98e0aaf15.exe

  • Size

    344KB

  • MD5

    4b71ebffe6335cfc46001df8d105de70

  • SHA1

    7f8f291cc038c3fd60362807273f9bccd567b45c

  • SHA256

    bf116b7685a6cb355df26acab15b47f62789a43cbce8ecfcc5f1ccf98e0aaf15

  • SHA512

    f275a610f26d00afcac23e86ea06f18291e3b79b74060d42bf36cd98cddb2fc2c1c7e485a5e6352fc93a3d8005b85bad04240205bf487c065448bc3fefc071a3

  • SSDEEP

    6144:DmyVIlx/STuiNGEDB0IMuwPkrcmhh7lvyNdh9cDaX/m7bfTWafFZ5S4YvVZ9PkHP:SQm/STuiNGEDB0IMuwPWfZvyNdh9cDau

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf116b7685a6cb355df26acab15b47f62789a43cbce8ecfcc5f1ccf98e0aaf15.exe
    "C:\Users\Admin\AppData\Local\Temp\bf116b7685a6cb355df26acab15b47f62789a43cbce8ecfcc5f1ccf98e0aaf15.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\miajaor.exe
      "C:\Users\Admin\miajaor.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3768

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\miajaor.exe
    Filesize

    344KB

    MD5

    c38b0736cb62a4cfdc237bb9f4afed98

    SHA1

    8c11d083ec1d5333a8416592f0d3a67159f1c9e4

    SHA256

    c8713abb8218ea78b81c331530e9381d8d1b0efee140e7b3d245f8f7b01773dc

    SHA512

    429371d3ffd98d65ecc7fd85c43a38c42b9c59561d54f0b0384946e4d6fa4d77035ea39395117e8c8f104b459e7544eee4ff1a67d7ddf66f9e4a5946c7efec8c

    Download Submit

  • C:\Users\Admin\miajaor.exe
    Filesize

    344KB

    MD5

    c38b0736cb62a4cfdc237bb9f4afed98

    SHA1

    8c11d083ec1d5333a8416592f0d3a67159f1c9e4

    SHA256

    c8713abb8218ea78b81c331530e9381d8d1b0efee140e7b3d245f8f7b01773dc

    SHA512

    429371d3ffd98d65ecc7fd85c43a38c42b9c59561d54f0b0384946e4d6fa4d77035ea39395117e8c8f104b459e7544eee4ff1a67d7ddf66f9e4a5946c7efec8c

    Download Submit

  • memory/3768-134-0x0000000000000000-mapping.dmp

    Download