Overview

overview

10

Static

static

921193350e...ba.exe

windows7-x64

10

921193350e...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    921193350ef06f783dc078f92015041722cd62454323bd4e41891b3a6f147cba.exe

  • Size

    156KB

  • MD5

    5bed80e1ef8747973c96e7deb9c23774

  • SHA1

    02e8152c4f06903bedfe135799d10993328b01c3

  • SHA256

    921193350ef06f783dc078f92015041722cd62454323bd4e41891b3a6f147cba

  • SHA512

    7c4436b419cbbff003d20de7f696ce72903c150efa04d7cbd7679ff74c787fc62412dc12e1f1c5fe1f983a58f2bc590aaec19615cd10ab3e9b33be50ca1853b4

  • SSDEEP

    3072:X0O2WKj5h3QKWXXWXG8FF7K+AmsgE5kEZZZy6x8z4oQZiEPc:TKjX3QKKXWFFF7KlgaS/WO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\921193350ef06f783dc078f92015041722cd62454323bd4e41891b3a6f147cba.exe
    "C:\Users\Admin\AppData\Local\Temp\921193350ef06f783dc078f92015041722cd62454323bd4e41891b3a6f147cba.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\qjzal.exe
      "C:\Users\Admin\qjzal.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qjzal.exe
    Filesize

    156KB

    MD5

    4d884665d53436189e91be5b5a053e77

    SHA1

    ccc2493325ce3d00e4b2197883438688932581b3

    SHA256

    30eb78bc7011767495a276f198d5a9257835061bab907dde5a01ab2a11a3af26

    SHA512

    aaca117b399fc08087d8f7859742c31a01d33d44d973d40e49d26af96e813d97932b342e256dd195d1363491f807a2bf92bcde42ffd000eb4838e018d1eebe76

    Download Submit

  • C:\Users\Admin\qjzal.exe
    Filesize

    156KB

    MD5

    4d884665d53436189e91be5b5a053e77

    SHA1

    ccc2493325ce3d00e4b2197883438688932581b3

    SHA256

    30eb78bc7011767495a276f198d5a9257835061bab907dde5a01ab2a11a3af26

    SHA512

    aaca117b399fc08087d8f7859742c31a01d33d44d973d40e49d26af96e813d97932b342e256dd195d1363491f807a2bf92bcde42ffd000eb4838e018d1eebe76

    Download Submit

  • memory/5112-134-0x0000000000000000-mapping.dmp

    Download