Overview

overview

10

Static

static

cf88259455...a1.exe

windows7-x64

10

cf88259455...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 09:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf88259455121c143dae6c7663dd0fb072061115bb263bddef1216c6b3eb50a1.exe

  • Size

    92KB

  • MD5

    a08399c97686c035dae05a5b380e2bb1

  • SHA1

    a30068795d6970cdfe685377f6eccedd0318d57c

  • SHA256

    cf88259455121c143dae6c7663dd0fb072061115bb263bddef1216c6b3eb50a1

  • SHA512

    bb8996f6f6ca162f017cd0efdf093abd777cb0af644506773a1bd0bd8bd2e159ff98b581d7bb866b1cad798a18a4a24ce888486462c0ffed792eafcbbfb1093a

  • SSDEEP

    1536:SrghDsZFrXQ0LpuSTksMcxa2/w/MyOKvxRnmwXvWsl7zP3+uv+8sraiL8VPQ2N4M:ZhiVXdLpuSTkiro/MyOKvxRnmwXvWslm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf88259455121c143dae6c7663dd0fb072061115bb263bddef1216c6b3eb50a1.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88259455121c143dae6c7663dd0fb072061115bb263bddef1216c6b3eb50a1.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Users\Admin\vnzeb.exe
      "C:\Users\Admin\vnzeb.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3852

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\vnzeb.exe
          Filesize

          92KB

          MD5

          1034b20984abc2e1cd9cf3bc5512ea61

          SHA1

          b058412f05f4ebee66b60669d2630fb5e028d166

          SHA256

          a2973c4334ee2eb658a527c9189a43253aa8cb28f2c455aee2b2fb98a0cd4aa8

          SHA512

          bf746db58e6b5fcb2892c320b7ae27aa05cd745c764af7147dad7493c5fbf711b96ad6d07e0bc50fed30b88fc4adc4fff26322d69345c46db273c592d5a7508e

          Download Submit

        • C:\Users\Admin\vnzeb.exe
          Filesize

          92KB

          MD5

          1034b20984abc2e1cd9cf3bc5512ea61

          SHA1

          b058412f05f4ebee66b60669d2630fb5e028d166

          SHA256

          a2973c4334ee2eb658a527c9189a43253aa8cb28f2c455aee2b2fb98a0cd4aa8

          SHA512

          bf746db58e6b5fcb2892c320b7ae27aa05cd745c764af7147dad7493c5fbf711b96ad6d07e0bc50fed30b88fc4adc4fff26322d69345c46db273c592d5a7508e

          Download Submit