Overview

overview

10

Static

static

784033eb76...6d.exe

windows7-x64

10

784033eb76...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 03:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    784033eb760f67ee0eb10b455532ff4e7530a03bc7bb847d58a0159b958d1d6d.exe

  • Size

    292KB

  • MD5

    a5c99a2e13c8222f37bfbd105e5e83ca

  • SHA1

    b7345fa43899b8a5941eac1dacc8404cf706c380

  • SHA256

    784033eb760f67ee0eb10b455532ff4e7530a03bc7bb847d58a0159b958d1d6d

  • SHA512

    81815d72149b8e320acacedc8ef13b9d2a301577338ccda511f165af2487e82725f497bb9262a0a29103c1c42a6077cd0a1e0db4d8d424e89818c34083846379

  • SSDEEP

    3072:fn5Oz4p9di1YODq7CFLuBpaFBzxk7c7awSZohDnjV2S8NmMx3WarRDSAzsUiztpP:fvi1nLuBpszxk7USZoDnp23xmg9wUutp

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\784033eb760f67ee0eb10b455532ff4e7530a03bc7bb847d58a0159b958d1d6d.exe
    "C:\Users\Admin\AppData\Local\Temp\784033eb760f67ee0eb10b455532ff4e7530a03bc7bb847d58a0159b958d1d6d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\wgduap.exe
      "C:\Users\Admin\wgduap.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5008

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\wgduap.exe
          Filesize

          292KB

          MD5

          3d2f98279d1c4b44cd2f47a2db3b4307

          SHA1

          93c514d818cddb694457f03754926d79328836e7

          SHA256

          f42f2edc99f2850a6b1ce70f23c23bf2bc0f84d50dddee4732c5e4f9ddde6cba

          SHA512

          05bfb44a45e26c98ec9a32cd5fc2129628b523970156d796b8c3b63c6116e4c1b93481fd53c6edd92a7f162aa50c5509af0fc2193e9c2789b1ee5c53b79c32f6

          Download Submit

        • C:\Users\Admin\wgduap.exe
          Filesize

          292KB

          MD5

          3d2f98279d1c4b44cd2f47a2db3b4307

          SHA1

          93c514d818cddb694457f03754926d79328836e7

          SHA256

          f42f2edc99f2850a6b1ce70f23c23bf2bc0f84d50dddee4732c5e4f9ddde6cba

          SHA512

          05bfb44a45e26c98ec9a32cd5fc2129628b523970156d796b8c3b63c6116e4c1b93481fd53c6edd92a7f162aa50c5509af0fc2193e9c2789b1ee5c53b79c32f6

          Download Submit