Overview

overview

10

Static

static

cde027664c...ae.exe

windows7-x64

10

cde027664c...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cde027664c59ea0d89b9aa03cb537a69cb2813b23b4dfa4e228858f0557079ae.exe

  • Size

    260KB

  • MD5

    07a32a864ade6d52249facecc15a0131

  • SHA1

    46ba25c7fa405f1245889f057040cf899ed033e3

  • SHA256

    cde027664c59ea0d89b9aa03cb537a69cb2813b23b4dfa4e228858f0557079ae

  • SHA512

    fd07c80ef5011146147b22ad1b7c45060beccffcaf49da0792a8bfce8b4371b8bbaceb827f2bd83b395d26a870aefc430e1dc0ee2bcd260f738cd03d89360973

  • SSDEEP

    6144:x4HyUUp7WQn6mr1R4bKLnXejKloO6JU1J7QnpRZ7Ta9kzU2/pn:xk0p6Qn6mr1R4bKLnXaKaO6O1JApvH

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cde027664c59ea0d89b9aa03cb537a69cb2813b23b4dfa4e228858f0557079ae.exe
    "C:\Users\Admin\AppData\Local\Temp\cde027664c59ea0d89b9aa03cb537a69cb2813b23b4dfa4e228858f0557079ae.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\heoehit.exe
      "C:\Users\Admin\heoehit.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\heoehit.exe
    Filesize

    260KB

    MD5

    ba8a42d8540f9625bb33455dd9908b30

    SHA1

    6fad1490288d07752fba72c87cf306d1633ff0d2

    SHA256

    bb947a47a8333b4355f5129ae657f3164c409acbe2f86cca6cf43828c10c28cd

    SHA512

    7795639355156919116823746cce65c1e15b0c83adc626a0733edb7f22ad3e1cb076bc001d19435d103658ccf5fcbaa630eb7b2ca47f893b371881134ad8224e

    Download Submit

  • C:\Users\Admin\heoehit.exe
    Filesize

    260KB

    MD5

    ba8a42d8540f9625bb33455dd9908b30

    SHA1

    6fad1490288d07752fba72c87cf306d1633ff0d2

    SHA256

    bb947a47a8333b4355f5129ae657f3164c409acbe2f86cca6cf43828c10c28cd

    SHA512

    7795639355156919116823746cce65c1e15b0c83adc626a0733edb7f22ad3e1cb076bc001d19435d103658ccf5fcbaa630eb7b2ca47f893b371881134ad8224e

    Download Submit

  • memory/1520-134-0x0000000000000000-mapping.dmp

    Download