Overview

overview

10

Static

static

c5b37b72e1...f1.exe

windows7-x64

10

c5b37b72e1...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c5b37b72e1639be066bd76c54918db322c122513dfd9477ca297be896ceb89f1.exe

  • Size

    176KB

  • MD5

    b17831dd8a3bd3b973b04222635590a4

  • SHA1

    ca8cde2be731517d27f87d198d3392a997168735

  • SHA256

    c5b37b72e1639be066bd76c54918db322c122513dfd9477ca297be896ceb89f1

  • SHA512

    3ba7d802705526bfbb1096bfe936a12a627e18490df1a3700bca947f393ac327f9ca6ba030b3b54330348d94c6f3307f997606454805b36ecb711ad7cb3ade87

  • SSDEEP

    3072:5taGK/fObT/bGiS3LOClnkZQxlrUax81zX1faK0U9C00hKex9nQ3b7a5VpIC+RZL:5t1K/fObT/bGiELOSnkZQxlrUax8NX1t

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5b37b72e1639be066bd76c54918db322c122513dfd9477ca297be896ceb89f1.exe
    "C:\Users\Admin\AppData\Local\Temp\c5b37b72e1639be066bd76c54918db322c122513dfd9477ca297be896ceb89f1.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\nrmeit.exe
      "C:\Users\Admin\nrmeit.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1428

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\nrmeit.exe
          Filesize

          176KB

          MD5

          6eb00541cec171c2011eda2c4ba6feac

          SHA1

          a100990893a73ec668190c2d09c4da7d0e9f1369

          SHA256

          1481418b627ff4e908e1f15fcb77d079080dd99fee3d7f545683492d84d4661a

          SHA512

          8b73ddd1515b05b3c31e10d3e8475bfdce60dd4f73f7edeb75b5edb5010d0aaf38f22dd831ff442f374e2699ce7081eefcd3312dcabd99df22aefa76a375f4ce

          Download Submit

        • C:\Users\Admin\nrmeit.exe
          Filesize

          176KB

          MD5

          6eb00541cec171c2011eda2c4ba6feac

          SHA1

          a100990893a73ec668190c2d09c4da7d0e9f1369

          SHA256

          1481418b627ff4e908e1f15fcb77d079080dd99fee3d7f545683492d84d4661a

          SHA512

          8b73ddd1515b05b3c31e10d3e8475bfdce60dd4f73f7edeb75b5edb5010d0aaf38f22dd831ff442f374e2699ce7081eefcd3312dcabd99df22aefa76a375f4ce

          Download Submit