Overview

overview

10

Static

static

822d4c8119...95.exe

windows7-x64

10

822d4c8119...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    822d4c81192ffb8322420c4bf81fded452727a9843b0bebc96d65610edba7b95.exe

  • Size

    116KB

  • MD5

    4775ef3fc8664d3cf991fe71d85d5ae6

  • SHA1

    bd8ffbfb43dd2e7535c403dc8af0e45a08212e43

  • SHA256

    822d4c81192ffb8322420c4bf81fded452727a9843b0bebc96d65610edba7b95

  • SHA512

    f1b564ac1946e7423ab59882a9ef443d47ae4f64e3b745b84451fae4dd67ed5a0a4e187dc8846e1d86e2e62cc9d13757db6c4aa864a621792efaf8985b0524b2

  • SSDEEP

    1536:OWxBr+AQR8Kw6KBOcW4Z8HO1Zwt0f4HfDUEdMOPy9sbgNcwo7JaS1:RiACfcr1ZoDUEdZwQL

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\822d4c81192ffb8322420c4bf81fded452727a9843b0bebc96d65610edba7b95.exe
    "C:\Users\Admin\AppData\Local\Temp\822d4c81192ffb8322420c4bf81fded452727a9843b0bebc96d65610edba7b95.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\muiopat.exe
      "C:\Users\Admin\muiopat.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1260

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\muiopat.exe
    Filesize

    116KB

    MD5

    aa6ec0bde39a0a92b86b20c0dd3550d5

    SHA1

    67c55e3589f65d25a9f062c4f1a147d8297329d7

    SHA256

    1c237a11e735d05f10751985d13ae9867b659a59a1617e3f134ada4f6588b571

    SHA512

    77b84dd00d14a67de036f627099e9d24d26599aaf77c4be3f3ede942ba6184a479ada2728230bc04176d3ce971f6648c8ad1e87577ecf96927f2c7aa908deab3

    Download Submit

  • C:\Users\Admin\muiopat.exe
    Filesize

    116KB

    MD5

    aa6ec0bde39a0a92b86b20c0dd3550d5

    SHA1

    67c55e3589f65d25a9f062c4f1a147d8297329d7

    SHA256

    1c237a11e735d05f10751985d13ae9867b659a59a1617e3f134ada4f6588b571

    SHA512

    77b84dd00d14a67de036f627099e9d24d26599aaf77c4be3f3ede942ba6184a479ada2728230bc04176d3ce971f6648c8ad1e87577ecf96927f2c7aa908deab3

    Download Submit