Overview

overview

10

Static

static

3

449db7ead2...5c.exe

windows7-x64

10

449db7ead2...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 23:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    449db7ead280736b0e7610b2a7a84e5c.exe

  • Size

    332KB

  • MD5

    449db7ead280736b0e7610b2a7a84e5c

  • SHA1

    cb2fef6c9eda407dec841e107315e09e25ef21bb

  • SHA256

    13e7f4b66b74a37a78fae79a7d4a0267efb42d622d7a0a883ff7990fc4448613

  • SHA512

    ea4a8f5bc3c1a06c70c888014bfc5d42c6b26ecff99ad951f513890c0474651e7af759a3740a85ffdf6121307d8aacf63c90eced14e0858636bf5ca5812c9da1

  • SSDEEP

    3072:7q9jSeaNxnuD7mEVSuekhGkYrQRVZq3eFo4ejLnlQISQLpyhZu6qyKtrlbHrs2OI:L5NxM2WGk1Y3nmQcuyKdFrs2OXuHNz

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 17 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449db7ead280736b0e7610b2a7a84e5c.exe
    "C:\Users\Admin\AppData\Local\Temp\449db7ead280736b0e7610b2a7a84e5c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\dyyauk.exe
      "C:\Users\Admin\dyyauk.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\dyyauk.exe
    Filesize

    332KB

    MD5

    91e36bb5bf667b77a6ca8aab0cdfd7ba

    SHA1

    4cba9890b56836d055e74afcb9740eb7ef594e37

    SHA256

    ec83c0e29ddbe63255f27f83af64d4826704bd4462b0a93cf1746f830d2614ab

    SHA512

    f3aba2dd2dae25de76ed4250b5d09391843ef4503d94f68e39990174a2265468e5d833ea23bf1b977204adc0499ef0e1e1f9e0d628ff4888d1d0a36258e0a508

    Download Submit

  • C:\Users\Admin\dyyauk.exe
    Filesize

    292KB

    MD5

    6281c74f2c34fc01ca8361f86e1cfb83

    SHA1

    03ff6fdf27d1de7abe5d8dbbefdfc22b6ee81119

    SHA256

    866e5439b10deeb8f84888af86704a76233e00e8a3d0a17b15f8b52f7c0d9f9e

    SHA512

    d423de72a7ab1ec9d3a9975b92be7d8a24355c5ee194eb4d41c55da7395d6b5af1fd8a2d8574de7a32c0189b4cea4da5cf186e446a1777fe508e7807482dbb7e

    Download Submit

  • C:\Users\Admin\dyyauk.exe
    Filesize

    41KB

    MD5

    7a54a93d29d3421b43dbd1801d4e2032

    SHA1

    8bbbbeaf95fa0159b222bd545cca0e0a2fac64ba

    SHA256

    9a4db88af9106babaadba7432df6e9d6418e59bd38a7a35f08cadd36ac6c3a12

    SHA512

    c13ef8242a496991b0e6ef588d2f0661cc3ce7947df35e38d124c9593ab3191abf4174b87b92159653f1030e2029e6f4a9847190a4946bda1d0f5973f297e231

    Download Submit