Overview

overview

10

Static

static

751609f7e6...4c.exe

windows7-x64

10

751609f7e6...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    201s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe

  • Size

    60KB

  • MD5

    360d89d5aa19c242f346d939962cb590

  • SHA1

    b5cd4284f8edbd39c88b7e587181cab6a0924261

  • SHA256

    751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c

  • SHA512

    f7ad21fa811aa1471e17b6b90040556983b729373796e5a3879580e3facc074a23ed05f06ba1badd7e8e7c2f9cb346a7c415ca9d9095fb07849faef977a09e74

  • SSDEEP

    768:k6qTD9xRIHgWTU6xUdPMXndo7sZUNMRrY20KtF1eNbw1o+pdok4I:h2DL6mJdsndo6UNMyetF1qw1o+pdSI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe
    "C:\Users\Admin\AppData\Local\Temp\751609f7e6b651aba656ec190f5ebd00bcf5f23179ae3124c26d9460f4c0574c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\fypuas.exe
      "C:\Users\Admin\fypuas.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\fypuas.exe
    Filesize

    60KB

    MD5

    749e92e9e6884f6e2ff617d983c0b855

    SHA1

    88cc848688abe2b25d432a81342c158a3b1338be

    SHA256

    9567aa69792adc897f273e454aef3bbe186e7853aa54861b730ce9fdc52fee26

    SHA512

    e78b3171af6c1b23d4f7222606ce2c9d890c0f907701e5316e70a954c7dd67a2c80850c0d6aee75e9eb407d90939465e2fffe25a8434dd4a1ae4df06b794d321

    Download Submit

  • C:\Users\Admin\fypuas.exe
    Filesize

    60KB

    MD5

    749e92e9e6884f6e2ff617d983c0b855

    SHA1

    88cc848688abe2b25d432a81342c158a3b1338be

    SHA256

    9567aa69792adc897f273e454aef3bbe186e7853aa54861b730ce9fdc52fee26

    SHA512

    e78b3171af6c1b23d4f7222606ce2c9d890c0f907701e5316e70a954c7dd67a2c80850c0d6aee75e9eb407d90939465e2fffe25a8434dd4a1ae4df06b794d321

    Download Submit

  • memory/4372-134-0x0000000000000000-mapping.dmp

    Download