Overview

overview

10

Static

static

3

1ef51f0c0e...eb.exe

windows7-x64

10

1ef51f0c0e...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ef51f0c0ea5094b7424ae72329514eb.exe

  • Size

    316KB

  • MD5

    1ef51f0c0ea5094b7424ae72329514eb

  • SHA1

    93f3b87887b13d5471c322e25713ac0d643b5784

  • SHA256

    36e29d98d912ce7667179378e29c7b555d7710b5caa8271a41b5af86c88db955

  • SHA512

    8af172605cc371f4e94e0be341248caa69a55e241f1c7d0b3038842bf3a728c6fac1e1bad23f54192900a8e1c40535e5e26cc085fdffff43217284918a114fb9

  • SSDEEP

    6144:s/JVYOhyCTEtWff9nQMdkxIV0OQotoBOm8ntGUcF6/DsEfNXqkEL+:eJVYOR9YxIToYmtyIx+

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ef51f0c0ea5094b7424ae72329514eb.exe
    "C:\Users\Admin\AppData\Local\Temp\1ef51f0c0ea5094b7424ae72329514eb.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\buuem.exe
      "C:\Users\Admin\buuem.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\buuem.exe
    Filesize

    316KB

    MD5

    1fac6828acf5cadd8e13ff75da8ef0b3

    SHA1

    4c387fbdae3cf323b6db5b3f3fef56ce39afee2b

    SHA256

    36bca745d80bceaa601ed9fff13acfc42bd00de281582dcf69a080bbc71aa9e6

    SHA512

    645555a47c10b6d6f73ab64c285b935185b2399138ce3d936ae3c55e634dd91e0272f3373656cc3b5f9538beef76b8a0ffaf6710a2730af9119550fcac962a9f

    Download Submit