Overview

overview

10

Static

static

c97527db2a...0b.exe

windows7-x64

10

c97527db2a...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c97527db2a2d8427fff3e0a9d1487141e57e2d289e8627cb59dea0330d72e60b.exe

  • Size

    280KB

  • MD5

    0055f55fb132e96a76b9a861715fa7ac

  • SHA1

    23e9cb431614e7cee0b2be968f92a0f19456cc0c

  • SHA256

    c97527db2a2d8427fff3e0a9d1487141e57e2d289e8627cb59dea0330d72e60b

  • SHA512

    76d2326458f9f17990cd8be6f4d74414d4cf5265d7cfda7fc4f838af5859bfd8f0e8fda9636c9c599086f769f4edb5bd4e17c86fd93367abc5bbcecac98a2c24

  • SSDEEP

    6144:KIY4IpydVsZyxyK5R8GYKi1Xfvs1tzH51t+ewSReXNL/B:vuydfiebOTB

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c97527db2a2d8427fff3e0a9d1487141e57e2d289e8627cb59dea0330d72e60b.exe
    "C:\Users\Admin\AppData\Local\Temp\c97527db2a2d8427fff3e0a9d1487141e57e2d289e8627cb59dea0330d72e60b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\zeopeip.exe
      "C:\Users\Admin\zeopeip.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zeopeip.exe
    Filesize

    280KB

    MD5

    66f193135b42de26d417e85f6b01c3b4

    SHA1

    e621e6c6e4a4b28646356c2cee4641c0045b13a6

    SHA256

    6f39e4071a21ca6097c24b513c0ed91db91b89c6326479231fcd335df0472f88

    SHA512

    346af061130825b81bc1bd3a06406e6bf1045f4b63412fa14a2d7bfc06f2ba07ee73520228ebdd01598b7788533937feb8e285a4501f0f6cda0d404fc63e9fe9

    Download Submit

  • C:\Users\Admin\zeopeip.exe
    Filesize

    280KB

    MD5

    66f193135b42de26d417e85f6b01c3b4

    SHA1

    e621e6c6e4a4b28646356c2cee4641c0045b13a6

    SHA256

    6f39e4071a21ca6097c24b513c0ed91db91b89c6326479231fcd335df0472f88

    SHA512

    346af061130825b81bc1bd3a06406e6bf1045f4b63412fa14a2d7bfc06f2ba07ee73520228ebdd01598b7788533937feb8e285a4501f0f6cda0d404fc63e9fe9

    Download Submit