Overview

overview

10

Static

static

f47a7701d8...0f.exe

windows7-x64

10

f47a7701d8...0f.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f47a7701d8d7163eb389c520790b2f3bd95c4b6609d3eaff2cddd2640496a80f.exe

  • Size

    160KB

  • MD5

    8fb8e157fbfbfceca0fb262f80135e66

  • SHA1

    51788651a3af48b072337cdebd6b5fc010a8eb9f

  • SHA256

    f47a7701d8d7163eb389c520790b2f3bd95c4b6609d3eaff2cddd2640496a80f

  • SHA512

    8b44881e7f1ef8f4cd3e9d663ee89d53359a21c02ddc99893a4cc13d3e139f35bf641acb7a5b985f0fce70411a25f921a2aef4787f84cca96a160691935d11ea

  • SSDEEP

    768:04lvMav7J5fT7wbjMPkG1VuW/wqvRXMXp677yCzdXZRT2Nq1MaQnepMri14PGBEo:04RlTJ5fTElGVs4emEFb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f47a7701d8d7163eb389c520790b2f3bd95c4b6609d3eaff2cddd2640496a80f.exe
    "C:\Users\Admin\AppData\Local\Temp\f47a7701d8d7163eb389c520790b2f3bd95c4b6609d3eaff2cddd2640496a80f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Users\Admin\heupoem.exe
      "C:\Users\Admin\heupoem.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\heupoem.exe
    Filesize

    160KB

    MD5

    1c248137d9ad3db1c22031cfcc2a2b31

    SHA1

    b90f51b24c4da97fb16def681f17147bd985c55c

    SHA256

    e0a7dea0832d93d9fc5cec3a016d5c7db8444e263b5f8bc20ed26bbb07c91f84

    SHA512

    a6d78591bf770c7e65b1dbb184ad9524c946a565d1c38c3a8c15b05bb963b300bc76e8bf215d25a06df3514eea7c9c8c71fcc84ef64e63caf90a5d89483e3dbe

    Download Submit

  • C:\Users\Admin\heupoem.exe
    Filesize

    160KB

    MD5

    1c248137d9ad3db1c22031cfcc2a2b31

    SHA1

    b90f51b24c4da97fb16def681f17147bd985c55c

    SHA256

    e0a7dea0832d93d9fc5cec3a016d5c7db8444e263b5f8bc20ed26bbb07c91f84

    SHA512

    a6d78591bf770c7e65b1dbb184ad9524c946a565d1c38c3a8c15b05bb963b300bc76e8bf215d25a06df3514eea7c9c8c71fcc84ef64e63caf90a5d89483e3dbe

    Download Submit

  • \Users\Admin\heupoem.exe
    Filesize

    160KB

    MD5

    1c248137d9ad3db1c22031cfcc2a2b31

    SHA1

    b90f51b24c4da97fb16def681f17147bd985c55c

    SHA256

    e0a7dea0832d93d9fc5cec3a016d5c7db8444e263b5f8bc20ed26bbb07c91f84

    SHA512

    a6d78591bf770c7e65b1dbb184ad9524c946a565d1c38c3a8c15b05bb963b300bc76e8bf215d25a06df3514eea7c9c8c71fcc84ef64e63caf90a5d89483e3dbe

    Download Submit

  • \Users\Admin\heupoem.exe
    Filesize

    160KB

    MD5

    1c248137d9ad3db1c22031cfcc2a2b31

    SHA1

    b90f51b24c4da97fb16def681f17147bd985c55c

    SHA256

    e0a7dea0832d93d9fc5cec3a016d5c7db8444e263b5f8bc20ed26bbb07c91f84

    SHA512

    a6d78591bf770c7e65b1dbb184ad9524c946a565d1c38c3a8c15b05bb963b300bc76e8bf215d25a06df3514eea7c9c8c71fcc84ef64e63caf90a5d89483e3dbe

    Download Submit

  • memory/1140-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

    Filesize

    8KB

    Download