Overview

overview

10

Static

static

9e77db2d35...72.exe

windows7-x64

10

9e77db2d35...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe

  • Size

    68KB

  • MD5

    e87de6e490804abe7a4eb01ff0898edc

  • SHA1

    4d932b5e7898610b1053b235075b70e11749091e

  • SHA256

    9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972

  • SHA512

    688709af6a83676908e0972198835ade516911d0968c6a620bd85980e87692bd67a31ff443f273083fd6cbad470cdc9b60bef05afa1a4b2e189ec5fdf51d1be2

  • SSDEEP

    768:QcEliTd+ERAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:fEIxlAcqOK3qowgnt1d

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe
    "C:\Users\Admin\AppData\Local\Temp\9e77db2d3503dbe700cf7dcf158e9c5da71b7a931fde9af68a97a7fe371cd972.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\Admin.exe
      "C:\Users\Admin\Admin.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Admin.exe
    Filesize

    68KB

    MD5

    1a5eb3e4a0e0f9ed6e872cba7c97cf0d

    SHA1

    ca97d9260656db66d39235c79f8a17c8cd7c0801

    SHA256

    0f57974c3bab04535b1f7e2e02e12faaf029c929c94e40a09280be14964764f5

    SHA512

    71c9a7973062e1ca23eaa4914f10d2d69be1d9b0a29bccc4895ef78619ce7aa711958b951a122e0f5f667a2849f9112c0d85a9e8d512706cd70c5e7b902223f7

    Download Submit
  • C:\Users\Admin\Admin.exe
    Filesize

    68KB

    MD5

    1a5eb3e4a0e0f9ed6e872cba7c97cf0d

    SHA1

    ca97d9260656db66d39235c79f8a17c8cd7c0801

    SHA256

    0f57974c3bab04535b1f7e2e02e12faaf029c929c94e40a09280be14964764f5

    SHA512

    71c9a7973062e1ca23eaa4914f10d2d69be1d9b0a29bccc4895ef78619ce7aa711958b951a122e0f5f667a2849f9112c0d85a9e8d512706cd70c5e7b902223f7

    Download Submit
  • memory/1688-132-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download
  • memory/3088-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3088-138-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download