Overview

overview

10

Static

static

a56eebd04e...12.exe

windows7-x64

10

a56eebd04e...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    242s
  • max time network
    333s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a56eebd04e0176a36775c0f9644e786c5c30576e1ed36ef989214081bb111f12.exe

  • Size

    84KB

  • MD5

    0ae04f2e6d3dd30f65baed0d0869d7b4

  • SHA1

    1c95880e934fce5cbeb8453059cb082c860b738a

  • SHA256

    a56eebd04e0176a36775c0f9644e786c5c30576e1ed36ef989214081bb111f12

  • SHA512

    3c7605d462c3cee67f9aa72fdd13073da823bead4de5bddc1cbdf719f133c851d52b99b17a7c4fa2eaddab39cb925c745a734ce04d8b6d99a044ca27c9d1b81a

  • SSDEEP

    768:DyV+hOvogEwzpbgJyGE5NIWi3KEyUhL7b7Yqlf4JwQltjmtTBHi7Al+:DoFv9p1rC76Ezh/vYlJwAitTB3l+

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a56eebd04e0176a36775c0f9644e786c5c30576e1ed36ef989214081bb111f12.exe
    "C:\Users\Admin\AppData\Local\Temp\a56eebd04e0176a36775c0f9644e786c5c30576e1ed36ef989214081bb111f12.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Users\Admin\tioum.exe
      "C:\Users\Admin\tioum.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 820
      2⤵
      • Program crash
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tioum.exe
    Filesize

    84KB

    MD5

    3920c67613ffd376d68e70d2376e009b

    SHA1

    adf1bd8bf51046a4fb2f7925f786b085b6eb2928

    SHA256

    e8a0357b413defd47dd6526aab233180f1b36ca77bf2aada30fc14366a78bfc2

    SHA512

    6e987fac2d1cc6836e82db4be3537d4b8d10a732c8f79960324626280d25a28e9d5451579fecab46874d78e00bef2848a3123d688ded9b87e54524ca279075d0

    Download Submit

  • C:\Users\Admin\tioum.exe
    Filesize

    84KB

    MD5

    3920c67613ffd376d68e70d2376e009b

    SHA1

    adf1bd8bf51046a4fb2f7925f786b085b6eb2928

    SHA256

    e8a0357b413defd47dd6526aab233180f1b36ca77bf2aada30fc14366a78bfc2

    SHA512

    6e987fac2d1cc6836e82db4be3537d4b8d10a732c8f79960324626280d25a28e9d5451579fecab46874d78e00bef2848a3123d688ded9b87e54524ca279075d0

    Download Submit

  • \Users\Admin\tioum.exe
    Filesize

    84KB

    MD5

    3920c67613ffd376d68e70d2376e009b

    SHA1

    adf1bd8bf51046a4fb2f7925f786b085b6eb2928

    SHA256

    e8a0357b413defd47dd6526aab233180f1b36ca77bf2aada30fc14366a78bfc2

    SHA512

    6e987fac2d1cc6836e82db4be3537d4b8d10a732c8f79960324626280d25a28e9d5451579fecab46874d78e00bef2848a3123d688ded9b87e54524ca279075d0

    Download Submit

  • \Users\Admin\tioum.exe
    Filesize

    84KB

    MD5

    3920c67613ffd376d68e70d2376e009b

    SHA1

    adf1bd8bf51046a4fb2f7925f786b085b6eb2928

    SHA256

    e8a0357b413defd47dd6526aab233180f1b36ca77bf2aada30fc14366a78bfc2

    SHA512

    6e987fac2d1cc6836e82db4be3537d4b8d10a732c8f79960324626280d25a28e9d5451579fecab46874d78e00bef2848a3123d688ded9b87e54524ca279075d0

    Download Submit

  • memory/368-56-0x0000000075531000-0x0000000075533000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1664-65-0x0000000000000000-mapping.dmp

    Download