Overview

overview

10

Static

static

a591d26287...bd.exe

windows7-x64

10

a591d26287...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe

  • Size

    88KB

  • MD5

    5d66df5aad51b1f2ec533983f9915852

  • SHA1

    46b2a4fffa7f3c3a3c008c6e487c742ea3184031

  • SHA256

    a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd

  • SHA512

    f7aa23af00ecb87ac9fd41d743eb0af2daa8ccd8e05e1933cefd349ddeda4945f9bff35145eef96915b47b09f99f2c5d445564d9a2b68c9d77a1a029947ec4d4

  • SSDEEP

    768:7Lk9rFEGNu34C/lfQzxKztTp8KS5k+qIYvCdUwY7EqVN14+QCnq/K/7ZP:7LksGGloAztd8HtPY7DN14Oqi/7ZP

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
    "C:\Users\Admin\AppData\Local\Temp\a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\miagax.exe
      "C:\Users\Admin\miagax.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\miagax.exe
    Filesize

    88KB

    MD5

    e67f6401d64d9e0feab1fc8cd59876b6

    SHA1

    dce8aeb13e57ab8374f3c885be0746f498eb074c

    SHA256

    d9ceda20ca59787afc24d1447f4c2ceb6fe15e09824dea67107f35493fb18fe0

    SHA512

    64040586fec061c5f8de984f0e862566f443f7987d0f14d71a5034bee0ab9150027eb3c9760ddad85982b5bb74f4531f98b8833623a97343c1ec7d5687e9dcdd

    Download Submit

  • C:\Users\Admin\miagax.exe
    Filesize

    88KB

    MD5

    e67f6401d64d9e0feab1fc8cd59876b6

    SHA1

    dce8aeb13e57ab8374f3c885be0746f498eb074c

    SHA256

    d9ceda20ca59787afc24d1447f4c2ceb6fe15e09824dea67107f35493fb18fe0

    SHA512

    64040586fec061c5f8de984f0e862566f443f7987d0f14d71a5034bee0ab9150027eb3c9760ddad85982b5bb74f4531f98b8833623a97343c1ec7d5687e9dcdd

    Download Submit