Overview

overview

10

Static

static

a7b1d62487...65.exe

windows7-x64

10

a7b1d62487...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe

  • Size

    124KB

  • MD5

    52d197a8f2403b7cd836dc265b72a988

  • SHA1

    3407489236adab68e5e148aa4d3ab3b0c18117be

  • SHA256

    a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65

  • SHA512

    3087cb8caa73499283f6522e4d1597674e01c72a0566ab34de46c4fee4e49df0ffdacd49769a600e8db82120bd8fdde59263eaa95eed49dd724103c3970b6849

  • SSDEEP

    3072:ICMQBK3vXvOG2RdYjH08qdLxilMiyfwAfGxMwE:5M2K3vXWG4mzQLxilMiyfwAfGx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
    "C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\mcbob.exe
      "C:\Users\Admin\mcbob.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3424

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\mcbob.exe
    Filesize

    124KB

    MD5

    6adad785fc5b8dc71503710cff8b6ff2

    SHA1

    53b874f8934b1b6aa7a949b84f37186924dcd1c1

    SHA256

    b0866f7db2f7e243033f62b40196b246b2e9ba21c445d193605769d41a542da3

    SHA512

    ec471a4773f11fd4efb9cb06f57554aeb8964f05059e8fd108380d3b7bb494e43eebf189ef8783a3c25e693df31741df86c688633f5f2350f51fb26a3352231d

    Download Submit

  • C:\Users\Admin\mcbob.exe
    Filesize

    124KB

    MD5

    6adad785fc5b8dc71503710cff8b6ff2

    SHA1

    53b874f8934b1b6aa7a949b84f37186924dcd1c1

    SHA256

    b0866f7db2f7e243033f62b40196b246b2e9ba21c445d193605769d41a542da3

    SHA512

    ec471a4773f11fd4efb9cb06f57554aeb8964f05059e8fd108380d3b7bb494e43eebf189ef8783a3c25e693df31741df86c688633f5f2350f51fb26a3352231d

    Download Submit