Overview

overview

10

Static

static

6ab33f689a...92.exe

windows7-x64

10

6ab33f689a...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe

  • Size

    204KB

  • MD5

    506208625ac93839c284cbfdfd05b9fe

  • SHA1

    067ecb589cb5f75ee1c596cc9b1928f7bcca9f1d

  • SHA256

    6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792

  • SHA512

    b7b8282e0f71653033fa8364335094753f9fc8aa0a118bf7147a314246195008b914f76ba6cb609764be617aef2bd0b57d7a651cea70b93ef17e11a4906d1d70

  • SSDEEP

    3072:+Vr+bRN2K57jQpI6d27GVV+FWl11oQB7t9X7aOQC:O+vF57jQS6dQGVVmWOQFL7aOQC

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe
    "C:\Users\Admin\AppData\Local\Temp\6ab33f689a79095fcbc71df3a2f3d93387d8ac7bf5e7461e8c65aed2b6038792.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\reoedo.exe
      "C:\Users\Admin\reoedo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\reoedo.exe
    Filesize

    204KB

    MD5

    b490395a482f2d39b46b75ee4b64cea1

    SHA1

    48e0e2e8081285f00d4dd36cbcf429c234ef604e

    SHA256

    8c3488dd463ef37b2cbacae2e3a3adf725cf99bbba05a9a5cb3ed2147cc7f66f

    SHA512

    996268a227f7f6aa7edb27d440d9beba87257e706addc3a2958759002824dff3652f369ec66596d07db2fb6e62554de4fc0dc824a4bf8d6950e1f0a80dd08da9

    Download Submit
  • C:\Users\Admin\reoedo.exe
    Filesize

    204KB

    MD5

    b490395a482f2d39b46b75ee4b64cea1

    SHA1

    48e0e2e8081285f00d4dd36cbcf429c234ef604e

    SHA256

    8c3488dd463ef37b2cbacae2e3a3adf725cf99bbba05a9a5cb3ed2147cc7f66f

    SHA512

    996268a227f7f6aa7edb27d440d9beba87257e706addc3a2958759002824dff3652f369ec66596d07db2fb6e62554de4fc0dc824a4bf8d6950e1f0a80dd08da9

    Download Submit
  • memory/4916-134-0x0000000000000000-mapping.dmp
    Download