Overview

overview

10

Static

static

3

ef3e3aff16...d4.exe

windows7-x64

10

ef3e3aff16...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 19:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ef3e3aff16b6dfb02fe48435614b0bd4.exe

  • Size

    100KB

  • MD5

    ef3e3aff16b6dfb02fe48435614b0bd4

  • SHA1

    f2b3c93c89fce67821806a83c3e2111b21f1b92e

  • SHA256

    5cb95723eee4583a859c75a163e667494f8447ca56d7c61d12c5c041e9a13ef6

  • SHA512

    05bec3d0134b95c6ac4c4f1be8dcba8f19a5f6722e620a8d231449806d121bfca2b60589ebbf64148a635f54ffcb67ebcdc5943ea713d2f4d1b51e62e21a9926

  • SSDEEP

    1536:Y5tGl82NTzwz/MGAc4ohrPXo+73Rez8b0SyKNIjnZrJ:5wuurPX7CKCnlJ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef3e3aff16b6dfb02fe48435614b0bd4.exe
    "C:\Users\Admin\AppData\Local\Temp\ef3e3aff16b6dfb02fe48435614b0bd4.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Users\Admin\paimuu.exe
      "C:\Users\Admin\paimuu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1852

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\paimuu.exe
          Filesize

          100KB

          MD5

          e57596425568d2a0a0b93c7de3e9466e

          SHA1

          f7894d8875913f4ad26b4f72eb3e98f73129f720

          SHA256

          4eec0485dcca1ecc0b38c69a8b7659c985914d5b9969dd2f5708dfef0a9c6c9e

          SHA512

          7e884232dcc56787c69150a907de425f81debd2a7bcea9008a5a897e89adf46cbb2c8719c1a3a64d10c8c4d420645a30f2f21ea3708f46d88391ed26bfeef33b

          Download Submit

        • memory/1852-35-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1852-38-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4528-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4528-6-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download