Overview

overview

10

Static

static

b46198dc20...2d.exe

windows7-x64

10

b46198dc20...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2022 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe

  • Size

    208KB

  • MD5

    4a913c8aa0df7e39c6822b48d26e6e10

  • SHA1

    16ecc1a3dfd9830270c069ccd3e230208e678f23

  • SHA256

    b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d

  • SHA512

    3b8b4afbd15de133cf1c8473a15bb6da46d851c2fd304e3b5db149ecff1f844089f49e3d5d882ae0384c119b08038fe9071d919426e9bbb3e41afd5a5d2e5efc

  • SSDEEP

    3072:oFtCD3EAkPRCSk3YRNCgmm/r4o+1EqCzfA1WmdH83qZ0oREdxuDwZe/rPXUv9Ut2:QtiCRCm/r4JOmN83GuuuSXUWGx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe
    "C:\Users\Admin\AppData\Local\Temp\b46198dc20027d23ca3aeef857eff2cc59c3e3202c422d68cecc431f3003a42d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\geiafek.exe
      "C:\Users\Admin\geiafek.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\geiafek.exe
    Filesize

    208KB

    MD5

    aac6c1d7d9a3af1ec30c2500b24ef235

    SHA1

    e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

    SHA256

    3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

    SHA512

    cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

    Download Submit

  • C:\Users\Admin\geiafek.exe
    Filesize

    208KB

    MD5

    aac6c1d7d9a3af1ec30c2500b24ef235

    SHA1

    e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

    SHA256

    3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

    SHA512

    cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

    Download Submit

  • \Users\Admin\geiafek.exe
    Filesize

    208KB

    MD5

    aac6c1d7d9a3af1ec30c2500b24ef235

    SHA1

    e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

    SHA256

    3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

    SHA512

    cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

    Download Submit

  • \Users\Admin\geiafek.exe
    Filesize

    208KB

    MD5

    aac6c1d7d9a3af1ec30c2500b24ef235

    SHA1

    e18320bdfe5852f0dc5ee3dca296c95f49ff43cb

    SHA256

    3dbcf74e81b6cb26c40dd39f16f9df62281f04a3723018a2135109eada363b21

    SHA512

    cca6dbd1c609b1b3ec511639fe733f56a0201914c40a5085433c42fe3974b932c3ba95d92f043d44cf687a0395a500c82d33849593fc4374ac853846b1f1845a

    Download Submit

  • memory/552-56-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

    Download