Overview

overview

10

Static

static

a4a5f68c4c...b6.exe

windows7-x64

10

a4a5f68c4c...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4a5f68c4c9b77e3a2bd06f47d02a29e8488eb98bf9b685489383de53645d8b6.exe

  • Size

    132KB

  • MD5

    560f0b191033ab1ee8975559b31cad40

  • SHA1

    0a01731f7d7ae93fa21739147ba828ddc131b901

  • SHA256

    a4a5f68c4c9b77e3a2bd06f47d02a29e8488eb98bf9b685489383de53645d8b6

  • SHA512

    e3473885f0d36f219a714c22a08b7ef3930c35af5e56d35ff841b71561379cd321fd9e2a4e67922f1e84df0f96faf73bc9f37ecd4478436cb5d85bcbd01ec9a5

  • SSDEEP

    1536:addi3uQIIKZrDJZ3JuIuRWIelOQ212I/6jDSUaWpEEHCjP4YTyorkt5ycQg:EjH8IuRrjWmEiyoryLX

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4a5f68c4c9b77e3a2bd06f47d02a29e8488eb98bf9b685489383de53645d8b6.exe
    "C:\Users\Admin\AppData\Local\Temp\a4a5f68c4c9b77e3a2bd06f47d02a29e8488eb98bf9b685489383de53645d8b6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\hhyaek.exe
      "C:\Users\Admin\hhyaek.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\hhyaek.exe
    Filesize

    132KB

    MD5

    7683df1e4e5640c904875029fde0954a

    SHA1

    3bbdac02d8e0783ea4a5ef5ffef8ff6e52ff461e

    SHA256

    fece63c1f1d9afb96002b4e40973904a043a6051c8bf886e177631ee54c4416c

    SHA512

    090118b6650494fc5c9c5a65b6cd03216f9ed486bd5db3a11425388cf435964e35e8ee7b033e800adc90eb6fa3a8f1b5158b54738ebfb99dd12a1705f19dd349

    Download Submit

  • C:\Users\Admin\hhyaek.exe
    Filesize

    132KB

    MD5

    7683df1e4e5640c904875029fde0954a

    SHA1

    3bbdac02d8e0783ea4a5ef5ffef8ff6e52ff461e

    SHA256

    fece63c1f1d9afb96002b4e40973904a043a6051c8bf886e177631ee54c4416c

    SHA512

    090118b6650494fc5c9c5a65b6cd03216f9ed486bd5db3a11425388cf435964e35e8ee7b033e800adc90eb6fa3a8f1b5158b54738ebfb99dd12a1705f19dd349

    Download Submit