Overview

overview

10

Static

static

8951bcdc72...63.exe

windows7-x64

10

8951bcdc72...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8951bcdc72c54d1d49428487c2c2ad7a6c785c3772c83f096ef35696e8bc9363.exe

  • Size

    224KB

  • MD5

    d31c81db17f8fc1309c7528925ec93db

  • SHA1

    3a55ffcea1bd5a6f59e6c6f90a0f6c9a7d62a1a9

  • SHA256

    8951bcdc72c54d1d49428487c2c2ad7a6c785c3772c83f096ef35696e8bc9363

  • SHA512

    7d7980ce04f04c0db9aafd278a230a767292edeb211d74f4c22ab6af16b8147ea69366880d0a266df13b0e37cf9fb8f01bd25320f7d09b5f8d904b71e61d30c8

  • SSDEEP

    3072:q788E5EEqiJAKMN9DAXamLKAcfbKyZwP02bVq3NZMf:qW54KMN9DtAcfbK/qT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8951bcdc72c54d1d49428487c2c2ad7a6c785c3772c83f096ef35696e8bc9363.exe
    "C:\Users\Admin\AppData\Local\Temp\8951bcdc72c54d1d49428487c2c2ad7a6c785c3772c83f096ef35696e8bc9363.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\baexe.exe
      "C:\Users\Admin\baexe.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4188

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\baexe.exe
          Filesize

          224KB

          MD5

          d280f90888df42a7a4746f4c1fbcb938

          SHA1

          6f71a792e3d6d82c668dea2e74073027a049ff13

          SHA256

          e9286e8968cf22f1f114c824fae13c8d12b8e975c1b0a1afbeff36361d3ea72f

          SHA512

          80d570ad8dc03d09444b81c267b813acb7229f62e68cdc891eedd99be4f1f4ea44a2e9b600cca9963de9d0e600d55daca51e5612da67f7237bb6844ca495f8bf

          Download Submit

        • C:\Users\Admin\baexe.exe
          Filesize

          224KB

          MD5

          d280f90888df42a7a4746f4c1fbcb938

          SHA1

          6f71a792e3d6d82c668dea2e74073027a049ff13

          SHA256

          e9286e8968cf22f1f114c824fae13c8d12b8e975c1b0a1afbeff36361d3ea72f

          SHA512

          80d570ad8dc03d09444b81c267b813acb7229f62e68cdc891eedd99be4f1f4ea44a2e9b600cca9963de9d0e600d55daca51e5612da67f7237bb6844ca495f8bf

          Download Submit