Overview

overview

10

Static

static

5abe080355...c9.exe

windows7-x64

10

5abe080355...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5abe0803557a3398a795b2f9094a5b003551f1641127d6b8174837dc8791e3c9.exe

  • Size

    224KB

  • MD5

    17bb0ba7a218b206528a009edf56ee10

  • SHA1

    db2bbe18fc178ad19920b36ef72ad25ddc2c9462

  • SHA256

    5abe0803557a3398a795b2f9094a5b003551f1641127d6b8174837dc8791e3c9

  • SHA512

    245bc63167eaf83adb0346d4c3d659f92782de90f8d683d96d9b1cf7224e3df0b5d45070acfbeb078161d80a678251681b29ebe793b5db7d4844a7b64ad84259

  • SSDEEP

    3072:SXyqNsMoBux3ZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax26:tqN5xvp4LnbmlrZW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5abe0803557a3398a795b2f9094a5b003551f1641127d6b8174837dc8791e3c9.exe
    "C:\Users\Admin\AppData\Local\Temp\5abe0803557a3398a795b2f9094a5b003551f1641127d6b8174837dc8791e3c9.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\muuer.exe
      "C:\Users\Admin\muuer.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\muuer.exe
    Filesize

    224KB

    MD5

    c5198f69e11560d8ab25fd23caac64a7

    SHA1

    cf9c8a61313e9c2476f7c170a3a85a2c7e199b62

    SHA256

    d7b3728363d38f7c2497701348c8f4c3bef3facfd1d187eed101d7a2553f978a

    SHA512

    a36d58520da6f573a7950cc120ebc39cb1182a6cfe6651f5f2df0ec08f5c92e8f79a82ea04fd43612fe3e41aec9fcfd285caa0bf1b8247ce86cc3e1315b560d8

    Download Submit

  • C:\Users\Admin\muuer.exe
    Filesize

    224KB

    MD5

    c5198f69e11560d8ab25fd23caac64a7

    SHA1

    cf9c8a61313e9c2476f7c170a3a85a2c7e199b62

    SHA256

    d7b3728363d38f7c2497701348c8f4c3bef3facfd1d187eed101d7a2553f978a

    SHA512

    a36d58520da6f573a7950cc120ebc39cb1182a6cfe6651f5f2df0ec08f5c92e8f79a82ea04fd43612fe3e41aec9fcfd285caa0bf1b8247ce86cc3e1315b560d8

    Download Submit