Overview

overview

10

Static

static

c414848903...9d.exe

windows7-x64

10

c414848903...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c414848903205322a5e8d80b1769f9da19f58bc1c3a457756ae34920a58a859d.exe

  • Size

    224KB

  • MD5

    40f4c93a5e794564ab6b68c283e2679e

  • SHA1

    c5b773d86a023516326a70061c59d844d16e3c84

  • SHA256

    c414848903205322a5e8d80b1769f9da19f58bc1c3a457756ae34920a58a859d

  • SHA512

    c47ee8285bd27e6621f62f8fd3103ba3bffa4ff9bf7edb3fc6dfa69d11d458aa50391ee23d786fd4c1202bcfcbb0880db698c6a085f915ba92658cc672a0b95a

  • SSDEEP

    3072:bXyqNsMoBunDZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax26:OqN5Tp4LnbmlrZW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c414848903205322a5e8d80b1769f9da19f58bc1c3a457756ae34920a58a859d.exe
    "C:\Users\Admin\AppData\Local\Temp\c414848903205322a5e8d80b1769f9da19f58bc1c3a457756ae34920a58a859d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\zioemuk.exe
      "C:\Users\Admin\zioemuk.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zioemuk.exe
    Filesize

    224KB

    MD5

    71c13b28779235455a4ad42478ff8bf4

    SHA1

    5a0f65e7b4d21e1991a5b97cecf86e9eef924a3a

    SHA256

    a1eb953b7f34fd9125323863d5a0d312583e054e8950733f74dc850ae7413a40

    SHA512

    b18d59e4694492120a80e79351dc670bb333315e3de8d92bdd2f8dead02ecca986ace93f35431669d3bc124a8e8174bc5e9d4a2a156ed241c6cc7ca056698699

    Download Submit

  • C:\Users\Admin\zioemuk.exe
    Filesize

    224KB

    MD5

    71c13b28779235455a4ad42478ff8bf4

    SHA1

    5a0f65e7b4d21e1991a5b97cecf86e9eef924a3a

    SHA256

    a1eb953b7f34fd9125323863d5a0d312583e054e8950733f74dc850ae7413a40

    SHA512

    b18d59e4694492120a80e79351dc670bb333315e3de8d92bdd2f8dead02ecca986ace93f35431669d3bc124a8e8174bc5e9d4a2a156ed241c6cc7ca056698699

    Download Submit

  • memory/2168-134-0x0000000000000000-mapping.dmp

    Download