Overview

overview

10

Static

static

dabe7c627f...c0.exe

windows7-x64

10

dabe7c627f...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dabe7c627f8f13987b5bf50e7fbf03712e02c6533e2d9c257012db65ce58cec0.exe

  • Size

    148KB

  • MD5

    6be2abb50fd8837e7eeb5632e9a8a8ef

  • SHA1

    98359a2b243d7cf1eba4f4a94b2f4ba43596331f

  • SHA256

    dabe7c627f8f13987b5bf50e7fbf03712e02c6533e2d9c257012db65ce58cec0

  • SHA512

    df91316e2145e41a1c1cbad1ce0d038114589adef189940314552d06838326492a62cd01e74791082c202b6dbd8e8ca2ce3d805e6060eae17b5463aa15c97a91

  • SSDEEP

    3072:xo5BVnzPVigj6G7gW1lktdVbKPkKE9qKIu64oQZiEsy7:EBVz9Fj7b1eDvXI3WiG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dabe7c627f8f13987b5bf50e7fbf03712e02c6533e2d9c257012db65ce58cec0.exe
    "C:\Users\Admin\AppData\Local\Temp\dabe7c627f8f13987b5bf50e7fbf03712e02c6533e2d9c257012db65ce58cec0.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\tmhuad.exe
      "C:\Users\Admin\tmhuad.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tmhuad.exe
    Filesize

    148KB

    MD5

    eae062a95d9f7edaf44d000670c6fef2

    SHA1

    f7fc44ad0f4f8940e6872de0deda428883ca45b1

    SHA256

    bac75bad787a3e1d4bbd3999c4b38f9697e32d23688de779e3c354fabc79eefd

    SHA512

    30d518cb57b980aed36c5417018afaf30409149ece630ba0420c0350e3f93f4c3a501b423c53770d1390645381fa288118f279ddc31a5d39863cddaa025c72f4

    Download Submit

  • C:\Users\Admin\tmhuad.exe
    Filesize

    148KB

    MD5

    eae062a95d9f7edaf44d000670c6fef2

    SHA1

    f7fc44ad0f4f8940e6872de0deda428883ca45b1

    SHA256

    bac75bad787a3e1d4bbd3999c4b38f9697e32d23688de779e3c354fabc79eefd

    SHA512

    30d518cb57b980aed36c5417018afaf30409149ece630ba0420c0350e3f93f4c3a501b423c53770d1390645381fa288118f279ddc31a5d39863cddaa025c72f4

    Download Submit