Overview

overview

10

Static

static

3

ae3bf46e7d...aa.exe

windows7-x64

10

ae3bf46e7d...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 09:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae3bf46e7d8a23bcb652d4c401bd2faa.exe

  • Size

    54KB

  • MD5

    ae3bf46e7d8a23bcb652d4c401bd2faa

  • SHA1

    f1f2ce1e55425042e4a435de5756cdb3779cb285

  • SHA256

    b795c753801bab817e22cb80e681ea0a327040f9c160a3f69751ff09967609ce

  • SHA512

    fc5022ff54f3e76dfa7124447a8fd832c620c556a7ea2885f11afe3e0c764a7936f177a7e3311345a13e3bb0f183c4de3581d4c53c88c7fa5ef7b5cbd8a0e238

  • SSDEEP

    1536:ON7kU6dcFjfUXhXAXzXkkcUcks98kMEi7W:K7kR0ykcUcks98kMEj

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae3bf46e7d8a23bcb652d4c401bd2faa.exe
    "C:\Users\Admin\AppData\Local\Temp\ae3bf46e7d8a23bcb652d4c401bd2faa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Users\Admin\xazev.exe
      "C:\Users\Admin\xazev.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xazev.exe
    Filesize

    54KB

    MD5

    5f158289766f23fb9590efc738d6d26d

    SHA1

    e765bf4f058fdf947d38a3f062294772a79e8007

    SHA256

    b81b4cf1b648e2677b339a7b54f04d271c49619c8339c50721e70eed950438a3

    SHA512

    7ed5f35356a91203ecf44a421c162b4c19eb5696b62ed7273272bf93c330f135b55117a1570f8fffda550a75eeb8802ed66d2eee6cb3ff6fb784dae7f0c251d9

    Download Submit