Overview

overview

10

Static

static

dfe5a81abe...88.exe

windows7-x64

10

dfe5a81abe...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfe5a81abe1e9f9edebd3d097844241d28f77a3f1bb5c21801f6a69494d4d688.exe

  • Size

    232KB

  • MD5

    16948af8cffc7a8b66d576dc50082ef1

  • SHA1

    d8cb90eebf84231b309045a57b4ff37a67d32b8a

  • SHA256

    dfe5a81abe1e9f9edebd3d097844241d28f77a3f1bb5c21801f6a69494d4d688

  • SHA512

    41978e54f790b9c4d6a371a2d314fa44314858dc594568cefce173ed00c39ff689c09e55ed01af64fb802fba74577188bf35807c54c26f9a752ce3307b566d9c

  • SSDEEP

    6144:AN3PFKs78g2KyEOaWEqxF6snji81RUinKdNObh:QPh+mFE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfe5a81abe1e9f9edebd3d097844241d28f77a3f1bb5c21801f6a69494d4d688.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe5a81abe1e9f9edebd3d097844241d28f77a3f1bb5c21801f6a69494d4d688.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\baemour.exe
      "C:\Users\Admin\baemour.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\baemour.exe
    Filesize

    232KB

    MD5

    88a5e6446ce5914392fa259655848d92

    SHA1

    756e8e2c176fd2d896811f4cdad1f50575309868

    SHA256

    b69991f97e99e2626928bf2f7db66dbc543bb05731990db4c4144b8b73c2cd7a

    SHA512

    61604780b8a325fb54e63f05114ed143caea346e6927c0c7ca54351841711de7e073837a2536e7fdeaf77282b4a8ebcf0e96d82766f059835ed6630e2321c542

    Download Submit

  • C:\Users\Admin\baemour.exe
    Filesize

    232KB

    MD5

    88a5e6446ce5914392fa259655848d92

    SHA1

    756e8e2c176fd2d896811f4cdad1f50575309868

    SHA256

    b69991f97e99e2626928bf2f7db66dbc543bb05731990db4c4144b8b73c2cd7a

    SHA512

    61604780b8a325fb54e63f05114ed143caea346e6927c0c7ca54351841711de7e073837a2536e7fdeaf77282b4a8ebcf0e96d82766f059835ed6630e2321c542

    Download Submit

  • \Users\Admin\baemour.exe
    Filesize

    232KB

    MD5

    88a5e6446ce5914392fa259655848d92

    SHA1

    756e8e2c176fd2d896811f4cdad1f50575309868

    SHA256

    b69991f97e99e2626928bf2f7db66dbc543bb05731990db4c4144b8b73c2cd7a

    SHA512

    61604780b8a325fb54e63f05114ed143caea346e6927c0c7ca54351841711de7e073837a2536e7fdeaf77282b4a8ebcf0e96d82766f059835ed6630e2321c542

    Download Submit

  • \Users\Admin\baemour.exe
    Filesize

    232KB

    MD5

    88a5e6446ce5914392fa259655848d92

    SHA1

    756e8e2c176fd2d896811f4cdad1f50575309868

    SHA256

    b69991f97e99e2626928bf2f7db66dbc543bb05731990db4c4144b8b73c2cd7a

    SHA512

    61604780b8a325fb54e63f05114ed143caea346e6927c0c7ca54351841711de7e073837a2536e7fdeaf77282b4a8ebcf0e96d82766f059835ed6630e2321c542

    Download Submit

  • memory/884-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/972-59-0x0000000000000000-mapping.dmp

    Download