Overview

overview

8

Static

static

5eba89aae7...84.exe

windows7-x64

8

5eba89aae7...84.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    204s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe

  • Size

    1.1MB

  • MD5

    4def29bc70afa4bdceeaefbab4329d30

  • SHA1

    b7c093f4124bc4150dec407d57efb6fcfafafa7f

  • SHA256

    5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184

  • SHA512

    70487e99d495b036f1760ed224bd61b877d0ff2d05aa8206fc0a2c19c3dfa7b3a57e8d420acd708ad636f657aabcf9c4b8971298474b01d534d71550dd2ea905

  • SSDEEP

    12288:G5qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+g:G5najQEPnvg6PhWDC750g

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2628
      • C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe
        "C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4952
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4805.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3496
            • C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe
              "C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5052
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1336
                5⤵
                • Program crash
                PID:1268
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4984
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4728
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:776
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2972
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5052 -ip 5052
            1⤵
              PID:940

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a4805.bat
              Filesize

              722B

              MD5

              12cebe6c7d42c729b2bffb501b5422fa

              SHA1

              2a00b5cb42298bcaf85fb883905ba70193c6ef0e

              SHA256

              96a082660d8b5ea91dd459b6e2b7972b9789c0e8564bb6925182db953bc9210c

              SHA512

              a885bc0bff6137a87868f061328282e404640bf39c842ed9a6d480e25769a1762228cbea7db16c0d8d2da5587f6f80734958ee6406c4ed356ce0fe3511ee3183

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe
              Filesize

              1.1MB

              MD5

              b0375fadbb808beaf33971aa2b1b56e2

              SHA1

              2b978167e0b264e7dd3484c61df8b31799f6867f

              SHA256

              92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

              SHA512

              8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5eba89aae797ba61a4fa1e2d34b99fc8c640cc28d037d84f4a75d7f2dabc9184.exe.exe
              Filesize

              1.1MB

              MD5

              b0375fadbb808beaf33971aa2b1b56e2

              SHA1

              2b978167e0b264e7dd3484c61df8b31799f6867f

              SHA256

              92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

              SHA512

              8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              51ee7bb63f7a43951ed5c8b18abf1bd1

              SHA1

              8365dfbaaf7f0f81e7e8c8376a6e337b496606db

              SHA256

              dca933f59704702be0dd2630baa2d69981484282da2a9e3840a8dc2651d3a83f

              SHA512

              9da7783d9a07cb667cc41c80355d88cde975520ab38bf12ca1c4cf1348986b2d7b729a4ac5906b88c359469d82cef2d44916bd7553d1738fd509dfac1464cf2a

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              51ee7bb63f7a43951ed5c8b18abf1bd1

              SHA1

              8365dfbaaf7f0f81e7e8c8376a6e337b496606db

              SHA256

              dca933f59704702be0dd2630baa2d69981484282da2a9e3840a8dc2651d3a83f

              SHA512

              9da7783d9a07cb667cc41c80355d88cde975520ab38bf12ca1c4cf1348986b2d7b729a4ac5906b88c359469d82cef2d44916bd7553d1738fd509dfac1464cf2a

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              33KB

              MD5

              51ee7bb63f7a43951ed5c8b18abf1bd1

              SHA1

              8365dfbaaf7f0f81e7e8c8376a6e337b496606db

              SHA256

              dca933f59704702be0dd2630baa2d69981484282da2a9e3840a8dc2651d3a83f

              SHA512

              9da7783d9a07cb667cc41c80355d88cde975520ab38bf12ca1c4cf1348986b2d7b729a4ac5906b88c359469d82cef2d44916bd7553d1738fd509dfac1464cf2a

              Download Submit

            • memory/776-148-0x0000000000000000-mapping.dmp

              Download

            • memory/2972-149-0x0000000000000000-mapping.dmp

              Download

            • memory/3496-135-0x0000000000000000-mapping.dmp

              Download

            • memory/4408-140-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4408-132-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4540-146-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4540-137-0x0000000000000000-mapping.dmp

              Download

            • memory/4540-150-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4636-133-0x0000000000000000-mapping.dmp

              Download

            • memory/4728-143-0x0000000000000000-mapping.dmp

              Download

            • memory/4952-134-0x0000000000000000-mapping.dmp

              Download

            • memory/4984-141-0x0000000000000000-mapping.dmp

              Download

            • memory/5052-144-0x0000000000000000-mapping.dmp

              Download