Overview

overview

10

Static

static

3

5950c86591...ed.exe

windows7-x64

10

5950c86591...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2024 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5950c86591b5f797f9e9eb8127afb1ed.exe

  • Size

    156KB

  • MD5

    5950c86591b5f797f9e9eb8127afb1ed

  • SHA1

    28a9099986f6ba37dbc11758e7258ee40007e7ff

  • SHA256

    95298a6b4b686a6ec49fc8d750825baf827bd5d6c903a28fab4236300d77700e

  • SHA512

    5f1c097ed6be50ef3cf148a84116dd9c829893fe3fd31645cbdfdb3e3d32e178bf857fad7d4787925cfe475eb21f7025b4dea27901eac43ff7fbed89fb53585d

  • SSDEEP

    3072:QBd1YE2MtU7Qv0w4ZRRQMMDwtIMCeFP4ANA4oQZiEey3:SdiE2R7Qvb4tQTaCeFP4A+Wsq

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5950c86591b5f797f9e9eb8127afb1ed.exe
    "C:\Users\Admin\AppData\Local\Temp\5950c86591b5f797f9e9eb8127afb1ed.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\jauke.exe
      "C:\Users\Admin\jauke.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jauke.exe
    Filesize

    156KB

    MD5

    c8fc0fa88ee917c85d677393b93d14f7

    SHA1

    ad9f3ae468c6713f8c3cb7e20509f7274161e698

    SHA256

    a1dabbcdd33e19b92ac8a0c0b3842e436e82a46cd10d0562f6b1643e84f50865

    SHA512

    d6ee3c2f981a20a2457fa5ff02eadd3ad845a42647049c9f3e91828186eaefa229ceccfd5e07efde5a6998b2bd242a9431ffa4c6016ec2a5148cdc76bfa1442e

    Download Submit