Overview

overview

10

Static

static

1fb123934d...53.exe

windows7-x64

10

1fb123934d...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fb123934d4ddcaa1db22b91b1feb7b59b2db64eaeb2c7b14709f32d0c714e53.exe

  • Size

    208KB

  • MD5

    571002a47b78ab366a2031d9c0eba7e7

  • SHA1

    0b538a907be79ff578032cb1113c3c7b6d8fe837

  • SHA256

    1fb123934d4ddcaa1db22b91b1feb7b59b2db64eaeb2c7b14709f32d0c714e53

  • SHA512

    c5fd75a9afc5a09be642194b4a79638b968ce9fd5385f5feecb137551d8899f42a774706f547cf599e39e823b2608272404c85259809cc3ff0b2457afe684dde

  • SSDEEP

    3072:zL/ErSdOKkbHtInyG2mTmGQ9AphKElqUAD:zL/ErMAbHenyGH2aKAA

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 46 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fb123934d4ddcaa1db22b91b1feb7b59b2db64eaeb2c7b14709f32d0c714e53.exe
    "C:\Users\Admin\AppData\Local\Temp\1fb123934d4ddcaa1db22b91b1feb7b59b2db64eaeb2c7b14709f32d0c714e53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\tuitub.exe
      "C:\Users\Admin\tuitub.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tuitub.exe
    Filesize

    208KB

    MD5

    c4a825ec77013683af12601968cfa3be

    SHA1

    cb7dc46675fc90cbfd3a9ef8cac51715472c27b6

    SHA256

    42d1e4ece0012150bca53af8a386cc87037eb21cb37fe55913ccc19e31414dc3

    SHA512

    0b8a9d2510edba0a8a554b17283a0e7991cff15f2c1f5aaf9a0d63bed72bd2eea8013f74af055d152bae828fdf1138200596f3b655c585c65d7f97c50e4ffdb2

    Download Submit

  • C:\Users\Admin\tuitub.exe
    Filesize

    208KB

    MD5

    c4a825ec77013683af12601968cfa3be

    SHA1

    cb7dc46675fc90cbfd3a9ef8cac51715472c27b6

    SHA256

    42d1e4ece0012150bca53af8a386cc87037eb21cb37fe55913ccc19e31414dc3

    SHA512

    0b8a9d2510edba0a8a554b17283a0e7991cff15f2c1f5aaf9a0d63bed72bd2eea8013f74af055d152bae828fdf1138200596f3b655c585c65d7f97c50e4ffdb2

    Download Submit

  • memory/968-134-0x0000000000000000-mapping.dmp

    Download