Overview

overview

10

Static

static

ac354e0dab...4f.exe

windows7-x64

10

ac354e0dab...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    262s
  • max time network
    333s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 09:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ac354e0dabf554cfd70ab1cb000e60bf0d29e8a3c9ed272ec499ff1cf5a8ca4f.exe

  • Size

    272KB

  • MD5

    b41ac6b387cc0f8cd64c483938f69341

  • SHA1

    bc4036182144981cec78e4e1eb69c427d965cf15

  • SHA256

    ac354e0dabf554cfd70ab1cb000e60bf0d29e8a3c9ed272ec499ff1cf5a8ca4f

  • SHA512

    f3c37f97dcc138bb392dd874be3c748b74eacd427d4f59c1c99e1ddad987f7c26a890a52032e402273ac92e5f941bd9638fce91ab23441ecf78991092bae7b6b

  • SSDEEP

    6144:P3a/lQxchRdjLmtrBuMrdekUH63u+X5sc57W:CKxGLTuPL5

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 48 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac354e0dabf554cfd70ab1cb000e60bf0d29e8a3c9ed272ec499ff1cf5a8ca4f.exe
    "C:\Users\Admin\AppData\Local\Temp\ac354e0dabf554cfd70ab1cb000e60bf0d29e8a3c9ed272ec499ff1cf5a8ca4f.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Users\Admin\baoon.exe
      "C:\Users\Admin\baoon.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1156

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\baoon.exe
          Filesize

          272KB

          MD5

          df5327a4e3daf13c902bce7b497621d5

          SHA1

          b462a8c3abad6815e5c0ecbc1b956bd82eb9a36f

          SHA256

          8ea55e25ce9181a8f072c633fec9002fa4493ceac588eb3f9c738d7934a2f0fd

          SHA512

          3775a7dcb8572707a8a01bd6e2c42c27c99fd66350734d91de74b82952ec4c902ce041cb94618544c901932b37424fb684156fea6149d062a533ef713c21cb75

          Download Submit

        • C:\Users\Admin\baoon.exe
          Filesize

          272KB

          MD5

          df5327a4e3daf13c902bce7b497621d5

          SHA1

          b462a8c3abad6815e5c0ecbc1b956bd82eb9a36f

          SHA256

          8ea55e25ce9181a8f072c633fec9002fa4493ceac588eb3f9c738d7934a2f0fd

          SHA512

          3775a7dcb8572707a8a01bd6e2c42c27c99fd66350734d91de74b82952ec4c902ce041cb94618544c901932b37424fb684156fea6149d062a533ef713c21cb75

          Download Submit

        • \Users\Admin\baoon.exe
          Filesize

          272KB

          MD5

          df5327a4e3daf13c902bce7b497621d5

          SHA1

          b462a8c3abad6815e5c0ecbc1b956bd82eb9a36f

          SHA256

          8ea55e25ce9181a8f072c633fec9002fa4493ceac588eb3f9c738d7934a2f0fd

          SHA512

          3775a7dcb8572707a8a01bd6e2c42c27c99fd66350734d91de74b82952ec4c902ce041cb94618544c901932b37424fb684156fea6149d062a533ef713c21cb75

          Download Submit

        • \Users\Admin\baoon.exe
          Filesize

          272KB

          MD5

          df5327a4e3daf13c902bce7b497621d5

          SHA1

          b462a8c3abad6815e5c0ecbc1b956bd82eb9a36f

          SHA256

          8ea55e25ce9181a8f072c633fec9002fa4493ceac588eb3f9c738d7934a2f0fd

          SHA512

          3775a7dcb8572707a8a01bd6e2c42c27c99fd66350734d91de74b82952ec4c902ce041cb94618544c901932b37424fb684156fea6149d062a533ef713c21cb75

          Download Submit

        • memory/672-56-0x0000000075531000-0x0000000075533000-memory.dmp

          Filesize

          8KB

          Download