Overview

overview

10

Static

static

b19d49901a...61.exe

windows7-x64

10

b19d49901a...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe

  • Size

    128KB

  • MD5

    5ff1dfa3e99499031ce8b416633c8cc0

  • SHA1

    c5788fa88c87094e2eb2dbc58308a35da89967e5

  • SHA256

    b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361

  • SHA512

    4bf288184df11390f5b06ec922c3ecf2b23f17fd8854a720c87d1cb15eebb6edfbcc729b3bdcc678b8dbb4e199cd75a6b9a0219b7a60a2b50493e3f0b9f515a2

  • SSDEEP

    1536:idusiAhgIuFQFvHwd6PXOYb7gXWgWKsEHTINeG0h/E:Susiqg/FQByYb7gvsEzM

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe
    "C:\Users\Admin\AppData\Local\Temp\b19d49901abd80afa963c45e08cc6f34cb28c715fd9082256474c93d2bff4361.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\pooiket.exe
      "C:\Users\Admin\pooiket.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1404

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\pooiket.exe
    Filesize

    128KB

    MD5

    b7aa49af2d675c20359083983842f0fb

    SHA1

    86ae220ad38fecb636eb2acc08e040eccf8a9a29

    SHA256

    79ace97b2bda05e1da2524428f278c7504dd892862d7bdcb35850ab28c4f5b09

    SHA512

    b430bb7e87932ce8dc50191d1257878a793f23135232aa0424c79c60d6e2b4ec9ef22e7fc2bf27f3802017927941588016b0e1fa3e4226812c801ca9186bb12b

    Download Submit

  • C:\Users\Admin\pooiket.exe
    Filesize

    128KB

    MD5

    b7aa49af2d675c20359083983842f0fb

    SHA1

    86ae220ad38fecb636eb2acc08e040eccf8a9a29

    SHA256

    79ace97b2bda05e1da2524428f278c7504dd892862d7bdcb35850ab28c4f5b09

    SHA512

    b430bb7e87932ce8dc50191d1257878a793f23135232aa0424c79c60d6e2b4ec9ef22e7fc2bf27f3802017927941588016b0e1fa3e4226812c801ca9186bb12b

    Download Submit

  • \Users\Admin\pooiket.exe
    Filesize

    128KB

    MD5

    b7aa49af2d675c20359083983842f0fb

    SHA1

    86ae220ad38fecb636eb2acc08e040eccf8a9a29

    SHA256

    79ace97b2bda05e1da2524428f278c7504dd892862d7bdcb35850ab28c4f5b09

    SHA512

    b430bb7e87932ce8dc50191d1257878a793f23135232aa0424c79c60d6e2b4ec9ef22e7fc2bf27f3802017927941588016b0e1fa3e4226812c801ca9186bb12b

    Download Submit

  • \Users\Admin\pooiket.exe
    Filesize

    128KB

    MD5

    b7aa49af2d675c20359083983842f0fb

    SHA1

    86ae220ad38fecb636eb2acc08e040eccf8a9a29

    SHA256

    79ace97b2bda05e1da2524428f278c7504dd892862d7bdcb35850ab28c4f5b09

    SHA512

    b430bb7e87932ce8dc50191d1257878a793f23135232aa0424c79c60d6e2b4ec9ef22e7fc2bf27f3802017927941588016b0e1fa3e4226812c801ca9186bb12b

    Download Submit

  • memory/1404-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1404-67-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1404-71-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1712-57-0x0000000075771000-0x0000000075773000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1712-56-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1712-65-0x0000000002FA0000-0x0000000002FC8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1712-66-0x0000000002FA0000-0x0000000002FC8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1712-69-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1712-70-0x0000000002FA0000-0x0000000002FC8000-memory.dmp

    Filesize

    160KB

    Download