Overview

overview

10

Static

static

11140d50df...12.exe

windows7-x64

10

11140d50df...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11140d50df472860a58b354dbac2445cbb5d121cb90a99c9af9d7350359a7112.exe

  • Size

    152KB

  • MD5

    343fc5df63f9b219016e85558fde9130

  • SHA1

    c29522ba836f8f6ce9f1a3dfdb32226adadab949

  • SHA256

    11140d50df472860a58b354dbac2445cbb5d121cb90a99c9af9d7350359a7112

  • SHA512

    d79ed6f8a209d1ecd478b2f6b3e0e3b6020b6ec6cfb248f884de5d76aff46914b8256b988ef8d09beedd83df5fb10dc63bd85512e0fba09f4c4b83fbd6d9848e

  • SSDEEP

    3072:khUFgUtTQtKrueiygR4O6avJamofU4oQZiEpZ93:ZgUNQtKSMgR56avUmpW/

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11140d50df472860a58b354dbac2445cbb5d121cb90a99c9af9d7350359a7112.exe
    "C:\Users\Admin\AppData\Local\Temp\11140d50df472860a58b354dbac2445cbb5d121cb90a99c9af9d7350359a7112.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\feape.exe
      "C:\Users\Admin\feape.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\feape.exe
    Filesize

    152KB

    MD5

    bd1d9dfbd39ea39b05b88c208861b38a

    SHA1

    aec3c705bda07275271ad6f0390d2d2a1ab91509

    SHA256

    2457e6eb2335023378090c793848bc9de6681fcb724d8a2c1f474d68fba437fc

    SHA512

    2e5297345df7f6f2362503dab77b3a74ee7e1988c59f947b45345edbfda7ec78c099572328f0c3c74b43800de92cbd471ecd09844f6bce862ad2754fa9b47499

    Download Submit

  • C:\Users\Admin\feape.exe
    Filesize

    152KB

    MD5

    bd1d9dfbd39ea39b05b88c208861b38a

    SHA1

    aec3c705bda07275271ad6f0390d2d2a1ab91509

    SHA256

    2457e6eb2335023378090c793848bc9de6681fcb724d8a2c1f474d68fba437fc

    SHA512

    2e5297345df7f6f2362503dab77b3a74ee7e1988c59f947b45345edbfda7ec78c099572328f0c3c74b43800de92cbd471ecd09844f6bce862ad2754fa9b47499

    Download Submit

  • memory/1200-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1200-141-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1200-142-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1328-132-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1328-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download