Overview

overview

10

Static

static

5ac4bb2ce1...02.exe

windows7-x64

10

5ac4bb2ce1...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2022, 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ac4bb2ce18a01ce87f7540013af439a83894a7b34156d9875f3785399f3bc02.exe

  • Size

    260KB

  • MD5

    380d675c89fbeef71a8d951874cf8b8d

  • SHA1

    c22b0bc5d5a938e5ee0034f3af16358451445d17

  • SHA256

    5ac4bb2ce18a01ce87f7540013af439a83894a7b34156d9875f3785399f3bc02

  • SHA512

    b0eb8612e38030f00ead1d2160dbd1339867ef8d15f19b9432373d84daee5ddb88e06b74f2a371dc97fbd3ef2fd359d93145504fdd3aa255af2332330d20dd87

  • SSDEEP

    3072:9gfAlN/vh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGV9:9d+gTSrMaIl/jcLijfHFEHWzXvjT85R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ac4bb2ce18a01ce87f7540013af439a83894a7b34156d9875f3785399f3bc02.exe
    "C:\Users\Admin\AppData\Local\Temp\5ac4bb2ce18a01ce87f7540013af439a83894a7b34156d9875f3785399f3bc02.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\fvkiq.exe
      "C:\Users\Admin\fvkiq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:224

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\fvkiq.exe
    Filesize

    260KB

    MD5

    118936d4b461dc13e1df5ba337772ce2

    SHA1

    4e2904050fcbba592011bd3d823983fca2e645d3

    SHA256

    3a8773bc8ae3a1790ceccaf69c34458379f38a2af3fd95f0dd3a0f78face149a

    SHA512

    f8fdc89d2f710bbc0ff28573e99668b82c3925df45a48beb9455d52154be236481de220a7726de01f9f53244412f530507fce39616795923e00ab79e684d6cf9

    Download Submit

  • C:\Users\Admin\fvkiq.exe
    Filesize

    260KB

    MD5

    118936d4b461dc13e1df5ba337772ce2

    SHA1

    4e2904050fcbba592011bd3d823983fca2e645d3

    SHA256

    3a8773bc8ae3a1790ceccaf69c34458379f38a2af3fd95f0dd3a0f78face149a

    SHA512

    f8fdc89d2f710bbc0ff28573e99668b82c3925df45a48beb9455d52154be236481de220a7726de01f9f53244412f530507fce39616795923e00ab79e684d6cf9

    Download Submit