Overview

overview

10

Static

static

3

742ca7bf8b...ab.exe

windows7-x64

10

742ca7bf8b...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 14:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    742ca7bf8b55e25610c8b9e25309bcab.exe

  • Size

    100KB

  • MD5

    742ca7bf8b55e25610c8b9e25309bcab

  • SHA1

    0a6e13e8972f285ffe00c11a74f1581042fd0c9d

  • SHA256

    58d70a52161c0496a3554753a08d7975b930367be7b9d4254a652a31d59dff48

  • SHA512

    932df8be6a55651b53bcdc116a212f56634f9771186cff01c4d6c135ba1f8a2634ffb2018e5492ccddd8630788a372433800d7f079a0e593b5764441bee86433

  • SSDEEP

    1536:/yWpcX220mQW9j1xJKIRGWcOUP7vXArnY1ZqAefzyeshNIjnZ9:KdQW9sNAfzyemCnf

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\742ca7bf8b55e25610c8b9e25309bcab.exe
    "C:\Users\Admin\AppData\Local\Temp\742ca7bf8b55e25610c8b9e25309bcab.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\zrrueh.exe
      "C:\Users\Admin\zrrueh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3304

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\zrrueh.exe
          Filesize

          92KB

          MD5

          f23bb1ab114cb9e400c1caab2b36a448

          SHA1

          1a5e93938af13ac2df3fb69e7b2b7fa62e69c554

          SHA256

          48421cdeeae874f8f9ba7ba86658aabf3c20b92f9ce95167cf694387db57108e

          SHA512

          a2a8bebe28eba40900b225eccddeac6c7350eba5e6e01c2757127761a3fa66e921d309cdcac8f1538a4c165b5194f67330099a94101d7db7956e08c5f5d3d1f7

          Download Submit

        • C:\Users\Admin\zrrueh.exe
          Filesize

          100KB

          MD5

          6cf1c3d497b03eb88737e0269d8d69d1

          SHA1

          fb48aef1f40debe3fbb53d31071cab3295ba3f87

          SHA256

          f09469b8bc80cd50d68fee36d712001c87ec8903ffc22e3c0d0466b2f29deae0

          SHA512

          70f9272f13a1343c876f036a0519bd19a0295c17f472f269451a30d937cb59a3328dce2dda307bb87b8d8780a24f5bddee08f0ea44ac2b0b8bb729a3ef36ddf3

          Download Submit