Overview

overview

10

Static

static

c760c6760f...38.exe

windows7-x64

10

c760c6760f...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    368s
  • max time network
    435s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 20:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c760c6760f6c854efd2091f4e146384f0edf775407d7f50939911703e0cc6238.exe

  • Size

    144KB

  • MD5

    ef873c2e5a4b962fa6790bf504c78e9a

  • SHA1

    a341a187465fa80a55e35f30361e161d2085b030

  • SHA256

    c760c6760f6c854efd2091f4e146384f0edf775407d7f50939911703e0cc6238

  • SHA512

    b6e0d249cddb26a9497b4d998a01c20165bfd0ad8afcfc7bb6d629133cef71e05cf8a84002e65c8aa149f139e12a3d3617650ef365365e28e21ee37bf3f2c538

  • SSDEEP

    1536:UJeDVk4PWt3obHtha0G+UAqn2z3HldOlfL3wi6GdUS9qfmAhjimR:hDK4OtgHEplAVMlfT5dgfmAFimR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c760c6760f6c854efd2091f4e146384f0edf775407d7f50939911703e0cc6238.exe
    "C:\Users\Admin\AppData\Local\Temp\c760c6760f6c854efd2091f4e146384f0edf775407d7f50939911703e0cc6238.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Users\Admin\pcgooc.exe
      "C:\Users\Admin\pcgooc.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4968

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\pcgooc.exe
          Filesize

          144KB

          MD5

          8bf12fe532df68d84bc093ed7f6ccef0

          SHA1

          443f8b86fb9d5f1828379982d910adb6079b309c

          SHA256

          33a10c0f9bf30a0ed6bea1eb6ef5eeb95328cbc521b3d4bd61cc491c195e2bbf

          SHA512

          421e0d4a20759cd2079bf901df8ddf9d56b6c1c59b4517b99f0b2a37738de4109ff2103bda6142a6e93514d013daebc279a34ac561461bd1aa98a90448d962b4

          Download Submit

        • C:\Users\Admin\pcgooc.exe
          Filesize

          144KB

          MD5

          8bf12fe532df68d84bc093ed7f6ccef0

          SHA1

          443f8b86fb9d5f1828379982d910adb6079b309c

          SHA256

          33a10c0f9bf30a0ed6bea1eb6ef5eeb95328cbc521b3d4bd61cc491c195e2bbf

          SHA512

          421e0d4a20759cd2079bf901df8ddf9d56b6c1c59b4517b99f0b2a37738de4109ff2103bda6142a6e93514d013daebc279a34ac561461bd1aa98a90448d962b4

          Download Submit