Overview

overview

10

Static

static

7442b91d9e...e4.exe

windows7-x64

10

7442b91d9e...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7442b91d9e692dd7880fd9667df9e097a63e030b2633f38a0071fbdbae69f5e4.exe

  • Size

    268KB

  • MD5

    77ce38a8e2ec054b4464327ba6adfb6e

  • SHA1

    4baf37e86bed86636ff65a8a71dc90c84bf2a090

  • SHA256

    7442b91d9e692dd7880fd9667df9e097a63e030b2633f38a0071fbdbae69f5e4

  • SHA512

    95cf789732e376cca42cb000640a24dd24a3a81f4d6928d89051e17bab922d3f6c0f5ebe1b626dba6d387a9223262da586323a00ba97c48673249912775a1bbc

  • SSDEEP

    3072:IH0IbGACBCc5nNHf/1rc911SQwjRRQG20KJehxo4EzFTfG1eGqFMIAO:q+IIy910QmR20We7EzlmqZn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7442b91d9e692dd7880fd9667df9e097a63e030b2633f38a0071fbdbae69f5e4.exe
    "C:\Users\Admin\AppData\Local\Temp\7442b91d9e692dd7880fd9667df9e097a63e030b2633f38a0071fbdbae69f5e4.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\cauodu.exe
      "C:\Users\Admin\cauodu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cauodu.exe
    Filesize

    268KB

    MD5

    9076aed30754ba97026d1b52b4bc006c

    SHA1

    9e531253e6dd345d8e869fe24ecbc8500f26313d

    SHA256

    a3ce4f6760f1f38cd61fced72fbb12132976b421bb69b5c85495cf0b918af957

    SHA512

    8b5f7dc24a76e8460896bd07a0f1c2107611b74332ce964a6677f8565150844394f4abd0d050c9f0f27ce442cc553342ad8ebfbd8e54d323a465b70b4e06c8e6

    Download Submit

  • C:\Users\Admin\cauodu.exe
    Filesize

    268KB

    MD5

    9076aed30754ba97026d1b52b4bc006c

    SHA1

    9e531253e6dd345d8e869fe24ecbc8500f26313d

    SHA256

    a3ce4f6760f1f38cd61fced72fbb12132976b421bb69b5c85495cf0b918af957

    SHA512

    8b5f7dc24a76e8460896bd07a0f1c2107611b74332ce964a6677f8565150844394f4abd0d050c9f0f27ce442cc553342ad8ebfbd8e54d323a465b70b4e06c8e6

    Download Submit

  • \Users\Admin\cauodu.exe
    Filesize

    268KB

    MD5

    9076aed30754ba97026d1b52b4bc006c

    SHA1

    9e531253e6dd345d8e869fe24ecbc8500f26313d

    SHA256

    a3ce4f6760f1f38cd61fced72fbb12132976b421bb69b5c85495cf0b918af957

    SHA512

    8b5f7dc24a76e8460896bd07a0f1c2107611b74332ce964a6677f8565150844394f4abd0d050c9f0f27ce442cc553342ad8ebfbd8e54d323a465b70b4e06c8e6

    Download Submit

  • \Users\Admin\cauodu.exe
    Filesize

    268KB

    MD5

    9076aed30754ba97026d1b52b4bc006c

    SHA1

    9e531253e6dd345d8e869fe24ecbc8500f26313d

    SHA256

    a3ce4f6760f1f38cd61fced72fbb12132976b421bb69b5c85495cf0b918af957

    SHA512

    8b5f7dc24a76e8460896bd07a0f1c2107611b74332ce964a6677f8565150844394f4abd0d050c9f0f27ce442cc553342ad8ebfbd8e54d323a465b70b4e06c8e6

    Download Submit

  • memory/588-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1724-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

    Filesize

    8KB

    Download