Analysis

  • max time kernel
    172s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 23:41

General

  • Target

    56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe

  • Size

    168KB

  • MD5

    aeba923aa67744ef6570c3c770a4e07f

  • SHA1

    7d4dc3567ca11550211bb668cbd2e041101ea3eb

  • SHA256

    56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b

  • SHA512

    9a97e1d408276e6a1ee392eb93366c7ea81981640c4e8202bc91102ed6c875d26618e59486215676eec37c545e80e91c8f2515d01e2f17020ebf1ae18d799722

  • SSDEEP

    1536:xAFlHooXxTaSfm8UI+FQZAq7UjbJw5aCUZeBB++7XVFfFVE/9jMhmqLBzmxI:OlHooXxYUZvUH2aZZer++7XVb5gI

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe
    "C:\Users\Admin\AppData\Local\Temp\56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\jeumo.exe
      "C:\Users\Admin\jeumo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jeumo.exe

    Filesize

    168KB

    MD5

    ccd8f2b1a4e0a5a09504ab5a09dc273e

    SHA1

    ff163a53cf41f9aeae6563673144a0da7fc6dbc8

    SHA256

    681d07e43c2e68b2678720d33f272ed6e33a6660a2d6ceca346a0a4e4e3e4ce0

    SHA512

    10f07e6e02baab53be14f535a459f57e15be044df95c29fadc278bcaada3270d11b4a13d573f53ec5ded3141585f9ef6d092dd190009d999f10cea8e57ca47f4

  • C:\Users\Admin\jeumo.exe

    Filesize

    168KB

    MD5

    ccd8f2b1a4e0a5a09504ab5a09dc273e

    SHA1

    ff163a53cf41f9aeae6563673144a0da7fc6dbc8

    SHA256

    681d07e43c2e68b2678720d33f272ed6e33a6660a2d6ceca346a0a4e4e3e4ce0

    SHA512

    10f07e6e02baab53be14f535a459f57e15be044df95c29fadc278bcaada3270d11b4a13d573f53ec5ded3141585f9ef6d092dd190009d999f10cea8e57ca47f4

  • \Users\Admin\jeumo.exe

    Filesize

    168KB

    MD5

    ccd8f2b1a4e0a5a09504ab5a09dc273e

    SHA1

    ff163a53cf41f9aeae6563673144a0da7fc6dbc8

    SHA256

    681d07e43c2e68b2678720d33f272ed6e33a6660a2d6ceca346a0a4e4e3e4ce0

    SHA512

    10f07e6e02baab53be14f535a459f57e15be044df95c29fadc278bcaada3270d11b4a13d573f53ec5ded3141585f9ef6d092dd190009d999f10cea8e57ca47f4

  • \Users\Admin\jeumo.exe

    Filesize

    168KB

    MD5

    ccd8f2b1a4e0a5a09504ab5a09dc273e

    SHA1

    ff163a53cf41f9aeae6563673144a0da7fc6dbc8

    SHA256

    681d07e43c2e68b2678720d33f272ed6e33a6660a2d6ceca346a0a4e4e3e4ce0

    SHA512

    10f07e6e02baab53be14f535a459f57e15be044df95c29fadc278bcaada3270d11b4a13d573f53ec5ded3141585f9ef6d092dd190009d999f10cea8e57ca47f4

  • memory/900-56-0x0000000075571000-0x0000000075573000-memory.dmp

    Filesize

    8KB