Overview

overview

10

Static

static

751609f7e6...4c.exe

windows7-x64

10

751609f7e6...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    202s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 00:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe

  • Size

    60KB

  • MD5

    360d89d5aa19c242f346d939962cb590

  • SHA1

    b5cd4284f8edbd39c88b7e587181cab6a0924261

  • SHA256

    751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c

  • SHA512

    f7ad21fa811aa1471e17b6b90040556983b729373796e5a3879580e3facc074a23ed05f06ba1badd7e8e7c2f9cb346a7c415ca9d9095fb07849faef977a09e74

  • SSDEEP

    768:k6qTD9xRIHgWTU6xUdPMXndo7sZUNMRrY20KtF1eNbw1o+pdok4I:h2DL6mJdsndo6UNMyetF1qw1o+pdSI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 49 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe
    "C:\Users\Admin\AppData\Local\Temp\751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:332
    • C:\Users\Admin\gaove.exe
      "C:\Users\Admin\gaove.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:532

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\gaove.exe
          Filesize

          60KB

          MD5

          08b3e72703cc5b8ecdc06580191805de

          SHA1

          b7c51aeefb5e23786374795cd8314dfd69f93204

          SHA256

          b68b3a912c42d192e176e021817a60e119650ce133383886a063d14cf3cc9208

          SHA512

          6cdfc0bff15c6ec4a3e0475058046f7ccfe8a141070d441423544f2b0d99ad31932bc61e94f9c3517bebf027305c3af501fedbbe28bea75771ca6322032d8d7c

          Download Submit

        • C:\Users\Admin\gaove.exe
          Filesize

          60KB

          MD5

          08b3e72703cc5b8ecdc06580191805de

          SHA1

          b7c51aeefb5e23786374795cd8314dfd69f93204

          SHA256

          b68b3a912c42d192e176e021817a60e119650ce133383886a063d14cf3cc9208

          SHA512

          6cdfc0bff15c6ec4a3e0475058046f7ccfe8a141070d441423544f2b0d99ad31932bc61e94f9c3517bebf027305c3af501fedbbe28bea75771ca6322032d8d7c

          Download Submit

        • \Users\Admin\gaove.exe
          Filesize

          60KB

          MD5

          08b3e72703cc5b8ecdc06580191805de

          SHA1

          b7c51aeefb5e23786374795cd8314dfd69f93204

          SHA256

          b68b3a912c42d192e176e021817a60e119650ce133383886a063d14cf3cc9208

          SHA512

          6cdfc0bff15c6ec4a3e0475058046f7ccfe8a141070d441423544f2b0d99ad31932bc61e94f9c3517bebf027305c3af501fedbbe28bea75771ca6322032d8d7c

          Download Submit

        • \Users\Admin\gaove.exe
          Filesize

          60KB

          MD5

          08b3e72703cc5b8ecdc06580191805de

          SHA1

          b7c51aeefb5e23786374795cd8314dfd69f93204

          SHA256

          b68b3a912c42d192e176e021817a60e119650ce133383886a063d14cf3cc9208

          SHA512

          6cdfc0bff15c6ec4a3e0475058046f7ccfe8a141070d441423544f2b0d99ad31932bc61e94f9c3517bebf027305c3af501fedbbe28bea75771ca6322032d8d7c

          Download Submit

        • memory/332-56-0x00000000767B1000-0x00000000767B3000-memory.dmp

          Filesize

          8KB

          Download