Overview

overview

10

Static

static

89a20b26f7...55.exe

windows7-x64

10

89a20b26f7...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a20b26f76376b7bdb468daa0da67e09cc5561d64c99c72520c19449ac4b955.exe

  • Size

    228KB

  • MD5

    76c4ecc736fd934b2ef28a040bb3b4dd

  • SHA1

    8388f3ca8a1af5c4c49d009142f33d01734efb2c

  • SHA256

    89a20b26f76376b7bdb468daa0da67e09cc5561d64c99c72520c19449ac4b955

  • SHA512

    79f896b38e0c2409fa1020972692468ef6de05e6e9ddc2da68b67c6a9701591b6c6080a84c1c45663158cd1805c7fa9e6ea50b23e4e25de0f5840ac67ffbcfd7

  • SSDEEP

    6144:Qmuq3PFKs7aFwKWwalhrEqxF6snji81RUinKZHg//Sa:Qmu4PhAmZIH+/n

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a20b26f76376b7bdb468daa0da67e09cc5561d64c99c72520c19449ac4b955.exe
    "C:\Users\Admin\AppData\Local\Temp\89a20b26f76376b7bdb468daa0da67e09cc5561d64c99c72520c19449ac4b955.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\moanu.exe
      "C:\Users\Admin\moanu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\moanu.exe
    Filesize

    228KB

    MD5

    8caffedb66360236c9f7814df3c469ae

    SHA1

    2f894fcc1098bc11bea0aa0b943089a4e4c166bb

    SHA256

    5c8c1fed010cd67e89ef6ce71e637655213ca2e0db788b75eab78a1e827fad0b

    SHA512

    ecd9783fc0220dcefe5e4a6e64f1ebe3b9ab4b1a97d7e85f8f449cde76fb22ddda85d6f7c684dfadbff698d0287d3aaba8e29c33fa7cc049bcefdec461e7f9d1

    Download Submit

  • C:\Users\Admin\moanu.exe
    Filesize

    228KB

    MD5

    8caffedb66360236c9f7814df3c469ae

    SHA1

    2f894fcc1098bc11bea0aa0b943089a4e4c166bb

    SHA256

    5c8c1fed010cd67e89ef6ce71e637655213ca2e0db788b75eab78a1e827fad0b

    SHA512

    ecd9783fc0220dcefe5e4a6e64f1ebe3b9ab4b1a97d7e85f8f449cde76fb22ddda85d6f7c684dfadbff698d0287d3aaba8e29c33fa7cc049bcefdec461e7f9d1

    Download Submit