Overview

overview

10

Static

static

e3d8fdc630...3d.exe

windows7-x64

10

e3d8fdc630...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3d8fdc6303d477b14d37ce6a8cc7d48435f671be09e3167b2572d83871e583d.exe

  • Size

    224KB

  • MD5

    aaa038a4afb70a3c98428b934ec9ef02

  • SHA1

    289cbf33bf472e7ae6ec82d67d85d40386415480

  • SHA256

    e3d8fdc6303d477b14d37ce6a8cc7d48435f671be09e3167b2572d83871e583d

  • SHA512

    19c4be51eeffb8225db102b54b3fedf39ac3f3ba613d913022242e561151e68fe712557820e5c8315508f0d2ec38b894e0b14147994dc1b6b40c2fbe24cac07e

  • SSDEEP

    6144:mFILyFdn53qLowKnvmb7/D26NID5UR2uNhVc5QTI/Mfqcp:mWL+n53qLowKnvmb7/D26rVc5AIMfqcp

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d8fdc6303d477b14d37ce6a8cc7d48435f671be09e3167b2572d83871e583d.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d8fdc6303d477b14d37ce6a8cc7d48435f671be09e3167b2572d83871e583d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\tmjig.exe
      "C:\Users\Admin\tmjig.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tmjig.exe
    Filesize

    224KB

    MD5

    18e805b6d5ef25c7d2412abb7877330c

    SHA1

    4086403dd85de23179f73c8c33d11568b9ae99dd

    SHA256

    84149c33e71855c7de365fa3777b03155101967c9115f01daf37c3991b0de3b7

    SHA512

    ca22b3394f80113ca61d7cfc1bc135a491c1925351c6a39563f9a2f5653bd517948a34f61fcbd98fc6c0dec76c9b14358b9cd5846e0d3ae69379d6a303c418bd

    Download Submit

  • C:\Users\Admin\tmjig.exe
    Filesize

    224KB

    MD5

    18e805b6d5ef25c7d2412abb7877330c

    SHA1

    4086403dd85de23179f73c8c33d11568b9ae99dd

    SHA256

    84149c33e71855c7de365fa3777b03155101967c9115f01daf37c3991b0de3b7

    SHA512

    ca22b3394f80113ca61d7cfc1bc135a491c1925351c6a39563f9a2f5653bd517948a34f61fcbd98fc6c0dec76c9b14358b9cd5846e0d3ae69379d6a303c418bd

    Download Submit

  • memory/4824-134-0x0000000000000000-mapping.dmp

    Download