1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab

Analysis

max time kernel
164s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
Size

92KB
MD5

6c86db7e1548a489815b4e7a1f4dea55
SHA1

15781320685a8375f18745841f47bff8993181c9
SHA256

1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab
SHA512

c00f3235befb704a8dfa4e35ecd601cd6e6b6d4d2188e7bb36301f5ce753a8e280d17b09fc09328314736f080d12764804f3ddc15b0814c89e06059ceb18ea5e
SSDEEP

1536:K3ICjeh1JHsrll4ldQwEVtzq7YWVuYwO/1a4o2faHc3u:KjEJMBlCdQXtu7YiuYwO/1a4o2fMyu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4320	Explorer.exe
5084	explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Axefeu Gxx\Explorer.exe	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
File opened for modification	C:\Program Files (x86)\Axefeu Gxx\Explorer.exe	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
File opened for modification	C:\Program Files (x86)\Yhaecn\12103	Explorer.exe
File opened for modification	C:\Program Files (x86)\Yhaecn\10746	Explorer.exe
File opened for modification	C:\Program Files (x86)\Yhaecn\Path.rcd	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Explorer.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe
4320	Explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4320	5016	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	81
PID 5016 wrote to memory of 4320	5016	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	81
PID 5016 wrote to memory of 4320	5016	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	81
PID 4320 wrote to memory of 5084	4320	Explorer.exe	82
PID 4320 wrote to memory of 5084	4320	Explorer.exe	82
PID 4320 wrote to memory of 5084	4320	Explorer.exe	82

C:\Users\Admin\AppData\Local\Temp\1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
"C:\Users\Admin\AppData\Local\Temp\1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files (x86)\Axefeu Gxx\Explorer.exe
  FI
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Program Files (x86)\Axefeu Gxx\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
19.8MB

MD5
df16f92b3e205f9730d9a7871b328a8f

SHA1
11565ced2e3e556862623e23607318cff95c02f9

SHA256
b6618a42e707391f22ea4290eb2212dcd22182c207bc531e1b866808eb1d2c30

SHA512
23d3f3cbd7c3e19c12b6e17e7b0be87f73951e73635a7122707ddfda750da5075c751bf391ff806726f78e65c911acc76d3acefeb6228ff4d1ac0790f6ceaf52

Download Submit
C:\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
19.8MB

MD5
df16f92b3e205f9730d9a7871b328a8f

SHA1
11565ced2e3e556862623e23607318cff95c02f9

SHA256
b6618a42e707391f22ea4290eb2212dcd22182c207bc531e1b866808eb1d2c30

SHA512
23d3f3cbd7c3e19c12b6e17e7b0be87f73951e73635a7122707ddfda750da5075c751bf391ff806726f78e65c911acc76d3acefeb6228ff4d1ac0790f6ceaf52

Download Submit
C:\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
19.8MB

MD5
df16f92b3e205f9730d9a7871b328a8f

SHA1
11565ced2e3e556862623e23607318cff95c02f9

SHA256
b6618a42e707391f22ea4290eb2212dcd22182c207bc531e1b866808eb1d2c30

SHA512
23d3f3cbd7c3e19c12b6e17e7b0be87f73951e73635a7122707ddfda750da5075c751bf391ff806726f78e65c911acc76d3acefeb6228ff4d1ac0790f6ceaf52

Download Submit
C:\Program Files (x86)\Yhaecn\Path.rcd

Filesize
260B

MD5
0c9c39c0a3cf6467e26c8e7fc106f99d

SHA1
15c2229c2b735be768b59bdb21d80058ebb9d1f0

SHA256
f1bab7f791dbf850c54e75857d677bf71a799e8d1e4c14a69dd07e394a85d2d9

SHA512
067b7133864fd5bb6761c20798edad4c37a183fd53cbe4ea05d1f4c4b07d42546b35d534bc584e94544b26baf2f385ae5de6a6f4059fd653bed16fcae3264c22

Download Submit
memory/4320-132-0x0000000000000000-mapping.dmp

Download
memory/5084-136-0x0000000000000000-mapping.dmp

Download