Overview

overview

10

Static

static

6eaf8f2766...8b.exe

windows7-x64

10

6eaf8f2766...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    198s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6eaf8f27666e511d620066188ca34760ac44d3241e90554bc5cc696cdea0d88b.exe

  • Size

    248KB

  • MD5

    34bf25da402351ff5a346fed32ba6280

  • SHA1

    f208adc9f7c253db5edf6cf8263cbf57655bb7e2

  • SHA256

    6eaf8f27666e511d620066188ca34760ac44d3241e90554bc5cc696cdea0d88b

  • SHA512

    0858b8075f5aa14a5c01fa1197987d43c13418fb309b3fa8bdb33048b4da3a8e16e677743939c566c5a73ec8fe7b3337173324d9b1a65493b6c8a36dcba497ac

  • SSDEEP

    3072:gr1Pci6xjLw6fF44m1shLv0diVjtt3PQ0pU3623sWMGCX799A2Uuu6WSLOXnt7sp:grRAw6+4m1umwptvpIMGaQ66jtc

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eaf8f27666e511d620066188ca34760ac44d3241e90554bc5cc696cdea0d88b.exe
    "C:\Users\Admin\AppData\Local\Temp\6eaf8f27666e511d620066188ca34760ac44d3241e90554bc5cc696cdea0d88b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Users\Admin\giaxiud.exe
      "C:\Users\Admin\giaxiud.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\giaxiud.exe
    Filesize

    248KB

    MD5

    166bc4ef923150eb4dca4f8ef07d94a6

    SHA1

    dc587b5a5d42c4fdcb3a68cc821e473cb693500b

    SHA256

    2b87caf94f41794cbd27aad5426436e7fc0c6aa938064d09ed9f101f0aa40229

    SHA512

    b8c6befdd88018eba3f500a7f046448b3c4428ffdcb1f5831304c93ce3ad788b1992ca1af16a92e46103e2f89600a7a20203dccfd4b9b2a4ecd10bc8a5ece992

    Download Submit

  • C:\Users\Admin\giaxiud.exe
    Filesize

    248KB

    MD5

    166bc4ef923150eb4dca4f8ef07d94a6

    SHA1

    dc587b5a5d42c4fdcb3a68cc821e473cb693500b

    SHA256

    2b87caf94f41794cbd27aad5426436e7fc0c6aa938064d09ed9f101f0aa40229

    SHA512

    b8c6befdd88018eba3f500a7f046448b3c4428ffdcb1f5831304c93ce3ad788b1992ca1af16a92e46103e2f89600a7a20203dccfd4b9b2a4ecd10bc8a5ece992

    Download Submit

  • \Users\Admin\giaxiud.exe
    Filesize

    248KB

    MD5

    166bc4ef923150eb4dca4f8ef07d94a6

    SHA1

    dc587b5a5d42c4fdcb3a68cc821e473cb693500b

    SHA256

    2b87caf94f41794cbd27aad5426436e7fc0c6aa938064d09ed9f101f0aa40229

    SHA512

    b8c6befdd88018eba3f500a7f046448b3c4428ffdcb1f5831304c93ce3ad788b1992ca1af16a92e46103e2f89600a7a20203dccfd4b9b2a4ecd10bc8a5ece992

    Download Submit

  • \Users\Admin\giaxiud.exe
    Filesize

    248KB

    MD5

    166bc4ef923150eb4dca4f8ef07d94a6

    SHA1

    dc587b5a5d42c4fdcb3a68cc821e473cb693500b

    SHA256

    2b87caf94f41794cbd27aad5426436e7fc0c6aa938064d09ed9f101f0aa40229

    SHA512

    b8c6befdd88018eba3f500a7f046448b3c4428ffdcb1f5831304c93ce3ad788b1992ca1af16a92e46103e2f89600a7a20203dccfd4b9b2a4ecd10bc8a5ece992

    Download Submit

  • memory/564-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1816-59-0x0000000000000000-mapping.dmp

    Download