Overview

overview

10

Static

static

32db468a9e...b0.exe

windows7-x64

10

32db468a9e...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32db468a9e052a6d1d238e09edb15a1ae2164283f1c001c7fba11250fcec89b0.exe

  • Size

    116KB

  • MD5

    7218a93aa09ab10dab2a4a696757980b

  • SHA1

    61f481919e57d4cc1ce17c9e3baf98bba140dc83

  • SHA256

    32db468a9e052a6d1d238e09edb15a1ae2164283f1c001c7fba11250fcec89b0

  • SHA512

    2d54ae32fb9544a471ce052a8338774e4e062ed729ef67ad7dc41174fd159d4c8155ee435d306bd408dbaa1d01758ff00dc5120bb0d946a2f4804ed63538ad6d

  • SSDEEP

    1536:gxRTfwJ9MyJJ1Uk+g+pZgGEbGeftRkDhfdxoMqVjFeQJsl0KuwOZZZZH1gMiZ9S:eRT0Ms/UWRJjsl0xdZZZZVgXS

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32db468a9e052a6d1d238e09edb15a1ae2164283f1c001c7fba11250fcec89b0.exe
    "C:\Users\Admin\AppData\Local\Temp\32db468a9e052a6d1d238e09edb15a1ae2164283f1c001c7fba11250fcec89b0.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\rzqeuj.exe
      "C:\Users\Admin\rzqeuj.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rzqeuj.exe
    Filesize

    116KB

    MD5

    8732eb3beb017c71a1677ff3a8718e07

    SHA1

    f70236d1c61f27a63f1dd88cd88834a5cd86835b

    SHA256

    eb401378868418deae33abc97547c1fa377e72a5df788dd79a20aab966b7296a

    SHA512

    7937e768bf6a66d4acb2a19dd3c53f00e68d58f75fac0920e640c277d146f1e7635cb17937f111ff5715100d1db076bb820b40e00e1235179fdb565d439c25b4

    Download Submit

  • C:\Users\Admin\rzqeuj.exe
    Filesize

    116KB

    MD5

    8732eb3beb017c71a1677ff3a8718e07

    SHA1

    f70236d1c61f27a63f1dd88cd88834a5cd86835b

    SHA256

    eb401378868418deae33abc97547c1fa377e72a5df788dd79a20aab966b7296a

    SHA512

    7937e768bf6a66d4acb2a19dd3c53f00e68d58f75fac0920e640c277d146f1e7635cb17937f111ff5715100d1db076bb820b40e00e1235179fdb565d439c25b4

    Download Submit