Analysis

  • max time kernel
    151s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 19:04

General

  • Target

    0f059ba1a32550d2ff589b301e216817d3195b957bfc8cc3d38c2c7bac4a0231.exe

  • Size

    132KB

  • MD5

    597587f5a1ef252a6b6e23a1dc8dbfe0

  • SHA1

    bae291bfdd8ee0199024f9c0bb3765a029a80103

  • SHA256

    0f059ba1a32550d2ff589b301e216817d3195b957bfc8cc3d38c2c7bac4a0231

  • SHA512

    28f08ec66e35197fedeeec8002593738be62c5b9c86caef897643fd9dbd76d5081e75b8c4d80b0063a983da638c494a1325fbfff143d4bc2eb27ef3ffb5c2c33

  • SSDEEP

    3072:fanf/b6NUf6VRlxzhPak8LXo46sBizQiOku:4/biUSVPxNPaLLXoNii8iC

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 49 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f059ba1a32550d2ff589b301e216817d3195b957bfc8cc3d38c2c7bac4a0231.exe
    "C:\Users\Admin\AppData\Local\Temp\0f059ba1a32550d2ff589b301e216817d3195b957bfc8cc3d38c2c7bac4a0231.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\daeayec.exe
      "C:\Users\Admin\daeayec.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\daeayec.exe

    Filesize

    132KB

    MD5

    b7182d71703935c901b50a9df273a306

    SHA1

    23ddf86237e9b1d7d1f39f7d85872c10cbadaba2

    SHA256

    088f844ee5c9fadd60dc52f592b472c20fa10b217f16cf9f31f06c636024af13

    SHA512

    b06c9e01ea1f417238e3cbf038e43d7175092b9444fc5757140e62d0387b621d4b3dd0c232920bb3c2c9ea13ebf0c7b4f5e2a42bede24e9fbc0206cc2a413e39

  • C:\Users\Admin\daeayec.exe

    Filesize

    132KB

    MD5

    b7182d71703935c901b50a9df273a306

    SHA1

    23ddf86237e9b1d7d1f39f7d85872c10cbadaba2

    SHA256

    088f844ee5c9fadd60dc52f592b472c20fa10b217f16cf9f31f06c636024af13

    SHA512

    b06c9e01ea1f417238e3cbf038e43d7175092b9444fc5757140e62d0387b621d4b3dd0c232920bb3c2c9ea13ebf0c7b4f5e2a42bede24e9fbc0206cc2a413e39

  • \Users\Admin\daeayec.exe

    Filesize

    132KB

    MD5

    b7182d71703935c901b50a9df273a306

    SHA1

    23ddf86237e9b1d7d1f39f7d85872c10cbadaba2

    SHA256

    088f844ee5c9fadd60dc52f592b472c20fa10b217f16cf9f31f06c636024af13

    SHA512

    b06c9e01ea1f417238e3cbf038e43d7175092b9444fc5757140e62d0387b621d4b3dd0c232920bb3c2c9ea13ebf0c7b4f5e2a42bede24e9fbc0206cc2a413e39

  • \Users\Admin\daeayec.exe

    Filesize

    132KB

    MD5

    b7182d71703935c901b50a9df273a306

    SHA1

    23ddf86237e9b1d7d1f39f7d85872c10cbadaba2

    SHA256

    088f844ee5c9fadd60dc52f592b472c20fa10b217f16cf9f31f06c636024af13

    SHA512

    b06c9e01ea1f417238e3cbf038e43d7175092b9444fc5757140e62d0387b621d4b3dd0c232920bb3c2c9ea13ebf0c7b4f5e2a42bede24e9fbc0206cc2a413e39

  • memory/852-59-0x0000000000000000-mapping.dmp

  • memory/1956-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB