Overview

overview

10

Static

static

dd944ecadb...64.exe

windows7-x64

10

dd944ecadb...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2022, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd944ecadba2279247ecdf3f3f7d3c43b5dbaeeeca5f848ed532cb393d155a64.exe

  • Size

    250KB

  • MD5

    9ffaa35ff8a8aabc20d369e2a4493c7d

  • SHA1

    54e9474cdd530e428da28c19f96d9c59d71bb009

  • SHA256

    dd944ecadba2279247ecdf3f3f7d3c43b5dbaeeeca5f848ed532cb393d155a64

  • SHA512

    849270295fcb64e771bee807092405ace5321ff401b79a9bdf52ffc19cc506e34a6083797217a489c368d5b997bc1dc4a6a80302ae429604bae17b2a1d1bdf27

  • SSDEEP

    3072:p788E5EEVWiJAKMN9DAXamLKAcfbKyZwP02bVq3NZMf:pW5uKMN9DtAcfbK/qT

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd944ecadba2279247ecdf3f3f7d3c43b5dbaeeeca5f848ed532cb393d155a64.exe
    "C:\Users\Admin\AppData\Local\Temp\dd944ecadba2279247ecdf3f3f7d3c43b5dbaeeeca5f848ed532cb393d155a64.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\zauru.exe
      "C:\Users\Admin\zauru.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zauru.exe
    Filesize

    250KB

    MD5

    b9c0647212d3dccd1f3451f24c2e7be6

    SHA1

    a8e462e6dff68a9bb6d4f40e53da565e8bee5bc5

    SHA256

    3d319e5b96f18cdf33b2d56a2e25aafdee3c86787d4783bf69485d5ee3dde331

    SHA512

    f9cb7a58b424703c2f7da323aaf3eb0f93e6b89d217800b4e88edcc3501d9b511617fa57256dbb9fb4a28e9deb6e15e6cad008be020e5c1756048bfec5f51a34

    Download Submit

  • C:\Users\Admin\zauru.exe
    Filesize

    250KB

    MD5

    b9c0647212d3dccd1f3451f24c2e7be6

    SHA1

    a8e462e6dff68a9bb6d4f40e53da565e8bee5bc5

    SHA256

    3d319e5b96f18cdf33b2d56a2e25aafdee3c86787d4783bf69485d5ee3dde331

    SHA512

    f9cb7a58b424703c2f7da323aaf3eb0f93e6b89d217800b4e88edcc3501d9b511617fa57256dbb9fb4a28e9deb6e15e6cad008be020e5c1756048bfec5f51a34

    Download Submit

  • memory/1424-132-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1424-141-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/3820-140-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/3820-142-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download