Overview

overview

10

Static

static

2c0b1452a2...7b.exe

windows7-x64

10

2c0b1452a2...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe

  • Size

    260KB

  • MD5

    5747e1a808e070a884a78b672f661b00

  • SHA1

    29a67bb88034f42f5e35b4d5d1c6f40f69b36fd2

  • SHA256

    2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b

  • SHA512

    f312179f2439ad691f9b9bdfae89edece04a89412b2c90229d5df32fc7cc90d7e1820781abaa366e65deb8669755d3f77947b899a4d3969c81e2f972a8bb6e5e

  • SSDEEP

    6144:nd7IgTSrMaIl/jcLijfHFEHWzXvjT85R:npNTSrMaIqLlI/H85R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe
    "C:\Users\Admin\AppData\Local\Temp\2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\saagier.exe
      "C:\Users\Admin\saagier.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\saagier.exe
    Filesize

    260KB

    MD5

    6ac0069bd59ee22ee1e14f0f6a2724d9

    SHA1

    494e20ec95d0a010fe3ec4756d3b7816b103658f

    SHA256

    d5b735ff2220bead73f0a392891eed68337e198a92f6bb25f5dd3f1e484d6c24

    SHA512

    c72f3f9bd8c2342c1779840cc84c9f7eebd6546fc2ed5705b9fee961ff60386072f1cda1fec78d0fad98077ebcef1e276fb8f23f46daa33e660d4793ec34ad05

    Download Submit

  • C:\Users\Admin\saagier.exe
    Filesize

    260KB

    MD5

    6ac0069bd59ee22ee1e14f0f6a2724d9

    SHA1

    494e20ec95d0a010fe3ec4756d3b7816b103658f

    SHA256

    d5b735ff2220bead73f0a392891eed68337e198a92f6bb25f5dd3f1e484d6c24

    SHA512

    c72f3f9bd8c2342c1779840cc84c9f7eebd6546fc2ed5705b9fee961ff60386072f1cda1fec78d0fad98077ebcef1e276fb8f23f46daa33e660d4793ec34ad05

    Download Submit

  • \Users\Admin\saagier.exe
    Filesize

    260KB

    MD5

    6ac0069bd59ee22ee1e14f0f6a2724d9

    SHA1

    494e20ec95d0a010fe3ec4756d3b7816b103658f

    SHA256

    d5b735ff2220bead73f0a392891eed68337e198a92f6bb25f5dd3f1e484d6c24

    SHA512

    c72f3f9bd8c2342c1779840cc84c9f7eebd6546fc2ed5705b9fee961ff60386072f1cda1fec78d0fad98077ebcef1e276fb8f23f46daa33e660d4793ec34ad05

    Download Submit

  • \Users\Admin\saagier.exe
    Filesize

    260KB

    MD5

    6ac0069bd59ee22ee1e14f0f6a2724d9

    SHA1

    494e20ec95d0a010fe3ec4756d3b7816b103658f

    SHA256

    d5b735ff2220bead73f0a392891eed68337e198a92f6bb25f5dd3f1e484d6c24

    SHA512

    c72f3f9bd8c2342c1779840cc84c9f7eebd6546fc2ed5705b9fee961ff60386072f1cda1fec78d0fad98077ebcef1e276fb8f23f46daa33e660d4793ec34ad05

    Download Submit

  • memory/1460-56-0x0000000075831000-0x0000000075833000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1528-59-0x0000000000000000-mapping.dmp

    Download