Overview

overview

8

Static

static

eeabaebc74...f9.exe

windows7-x64

8

eeabaebc74...f9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeabaebc74cc6db99f09a70bc01aad474b53df339f2b22c7d5110d5560598cf9.exe

  • Size

    1.0MB

  • MD5

    9df4c15341df9c0ab5d20fafcb687077

  • SHA1

    f4897f7a89db0b3f38b9c7931eafb99dcfe5f2d9

  • SHA256

    eeabaebc74cc6db99f09a70bc01aad474b53df339f2b22c7d5110d5560598cf9

  • SHA512

    74ac0d1007394ba9b5a491e60dc058ab0e7cd4b8b86ace7c23d0599092d71248fa1973849f07d9c317460c4d343ef34f822bf42c036e34a154a62b2037e7a6ec

  • SSDEEP

    24576:Qk4slMippnVRuA+Rk3bwtXbyEnk02qFbHzQvo/:Q4MWnVRuA+Rsw9byEnr2qFbHUvm

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\eeabaebc74cc6db99f09a70bc01aad474b53df339f2b22c7d5110d5560598cf9.exe
        "C:\Users\Admin\AppData\Local\Temp\eeabaebc74cc6db99f09a70bc01aad474b53df339f2b22c7d5110d5560598cf9.exe"
        2⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3192

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
      Filesize

      50KB

      MD5

      85d217a85fb6d1d6d03ef8fa76bad7cf

      SHA1

      b77de1e8e3e22b0e989ea542de863b277834a92c

      SHA256

      0ad533cb0a89239e9648e3ca680bf28c7f3ec9b20db6f69ae0b59a3328831d3e

      SHA512

      602c8f57d75017dd481c6d22d56a96955a22d7a463f100bcc9f5687e514c54fbafd41997c89eec9f4f68fbd30df6e1521357f5a67202092fb4a1059e1b4bfbff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
      Filesize

      50KB

      MD5

      85d217a85fb6d1d6d03ef8fa76bad7cf

      SHA1

      b77de1e8e3e22b0e989ea542de863b277834a92c

      SHA256

      0ad533cb0a89239e9648e3ca680bf28c7f3ec9b20db6f69ae0b59a3328831d3e

      SHA512

      602c8f57d75017dd481c6d22d56a96955a22d7a463f100bcc9f5687e514c54fbafd41997c89eec9f4f68fbd30df6e1521357f5a67202092fb4a1059e1b4bfbff

      Download Submit

    • memory/764-146-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2024-137-0x00000000001E0000-0x00000000001F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2024-138-0x00000000024B0000-0x00000000024E8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2024-139-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2024-140-0x00000000001E0000-0x00000000001F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2024-132-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2024-134-0x00000000024B0000-0x00000000024E8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2024-144-0x0000000000400000-0x000000000055E000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2024-145-0x00000000001E0000-0x00000000001F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2024-133-0x00000000001E0000-0x00000000001F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3192-147-0x0000000010000000-0x0000000010011000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3192-148-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download