Overview

overview

10

Static

static

b0e800e942...70.exe

windows7-x64

10

b0e800e942...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0e800e942bdc047aa69b305a1443df30144663be70481f8f9ad36a61f206170.exe

  • Size

    228KB

  • MD5

    2b163d8ef071a241bc00fb2922f0feee

  • SHA1

    d0d66cdb76e5dc5716a9ec1a40790b96a49c351f

  • SHA256

    b0e800e942bdc047aa69b305a1443df30144663be70481f8f9ad36a61f206170

  • SHA512

    326b1dc5645a2c0f2875ebcef2c20cec569e03dfb4798b62b2ffc2cea0dae8daa944fc5ca574058f6cbddd830db7d91d0833fa79ac19c884e8d486a99a102c05

  • SSDEEP

    3072:fmkiX6HOTPI/YXYqqd8MoNrozX+h2RAGCD6fjtQ/MK:fmO3/qqdGrhAeyBQ/F

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0e800e942bdc047aa69b305a1443df30144663be70481f8f9ad36a61f206170.exe
    "C:\Users\Admin\AppData\Local\Temp\b0e800e942bdc047aa69b305a1443df30144663be70481f8f9ad36a61f206170.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\saven.exe
      "C:\Users\Admin\saven.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\saven.exe
    Filesize

    228KB

    MD5

    6facaa14df7b1212e0e60cb3e94b02aa

    SHA1

    2744d97245f2babb7a8f1f4b18c24c62a791e6c1

    SHA256

    d78e641c5d5b620ae663e5c4d93cc80769fe1a797ea112f1a2cd68f40ae47205

    SHA512

    6608a1054c3db41f05e61bf7aa0eb5312aac81b569d7384b1d8667d2067a0ffb3198222a1990f4e30371ed979dad2fe020bde657fdf38dd25cb9ce9d466db260

    Download Submit

  • C:\Users\Admin\saven.exe
    Filesize

    228KB

    MD5

    6facaa14df7b1212e0e60cb3e94b02aa

    SHA1

    2744d97245f2babb7a8f1f4b18c24c62a791e6c1

    SHA256

    d78e641c5d5b620ae663e5c4d93cc80769fe1a797ea112f1a2cd68f40ae47205

    SHA512

    6608a1054c3db41f05e61bf7aa0eb5312aac81b569d7384b1d8667d2067a0ffb3198222a1990f4e30371ed979dad2fe020bde657fdf38dd25cb9ce9d466db260

    Download Submit

  • memory/4896-134-0x0000000000000000-mapping.dmp

    Download