Overview

overview

10

Static

static

5109c0f331...89.exe

windows7-x64

10

5109c0f331...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5109c0f33142e44719c87def2fb274b2af654fe6b198264bdbcbc4a6a9261189.exe

  • Size

    116KB

  • MD5

    3493417c8214eeda2a96d562dd93d475

  • SHA1

    c1f9978936898307ae9c43db982de4e93b6d0d35

  • SHA256

    5109c0f33142e44719c87def2fb274b2af654fe6b198264bdbcbc4a6a9261189

  • SHA512

    067d59624a2f98af4299f150cc16c2440b811e69bd6529212b244a9bdb747984244398d1828f5e9dc5d14d4338255596539960c03c1654c7de92dad2e261c897

  • SSDEEP

    1536:V9Q8pcRDBeZUBFTgVjtXZTto1e9uCLBCPr8/NL44PerV9I8kIi/6h:vbpcTeZU7TgdTq1drxh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5109c0f33142e44719c87def2fb274b2af654fe6b198264bdbcbc4a6a9261189.exe
    "C:\Users\Admin\AppData\Local\Temp\5109c0f33142e44719c87def2fb274b2af654fe6b198264bdbcbc4a6a9261189.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\raacuuw.exe
      "C:\Users\Admin\raacuuw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\raacuuw.exe
    Filesize

    116KB

    MD5

    af84d83e4f25466b6aa2f58612c7010a

    SHA1

    8e9d00f758d3afec8e67f4870dcebe21c786e440

    SHA256

    e6edebf7063b1029c4dba99c30132fba3687f26aeafd7464ca0d8038b8986086

    SHA512

    f3ee867a691b186ca026f4e98ecb68da297ea97461b1cacb42cbb1db64d6ca4846d6c4d1c6246f00c0172a1358ff7e62171502d9ad8437710948714b068ed423

    Download Submit

  • C:\Users\Admin\raacuuw.exe
    Filesize

    116KB

    MD5

    af84d83e4f25466b6aa2f58612c7010a

    SHA1

    8e9d00f758d3afec8e67f4870dcebe21c786e440

    SHA256

    e6edebf7063b1029c4dba99c30132fba3687f26aeafd7464ca0d8038b8986086

    SHA512

    f3ee867a691b186ca026f4e98ecb68da297ea97461b1cacb42cbb1db64d6ca4846d6c4d1c6246f00c0172a1358ff7e62171502d9ad8437710948714b068ed423

    Download Submit

  • memory/3760-134-0x0000000000000000-mapping.dmp

    Download