Overview

overview

10

Static

static

3

dfaf8bf5dc...fb.exe

windows7-x64

10

dfaf8bf5dc...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 17:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dfaf8bf5dca330440c38b6cce6f868fb.exe

  • Size

    144KB

  • MD5

    dfaf8bf5dca330440c38b6cce6f868fb

  • SHA1

    49746b8453ecda71402b054f229d8453d488fcb3

  • SHA256

    089c70b37e17b83ab9a9e4fc37aa17679d6a7eb832595b4264ad54bed1581d89

  • SHA512

    b7839ef03befddcbf1ebe449677f180d94d055ae1eba29f6fa25a653a69c3d21090b07115bcf1397e8fcb4319193a5a19ddf86bde55793013d8757e970f371aa

  • SSDEEP

    1536:MtljAWunE0ggGDHjDTYpK3XZxkIh1mF+0da1f6ymqneF05bV4oQ/hKeXsjEFbZl:Mtgnhg/zLKM0AGMeF05p4oQZiE5Zl

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfaf8bf5dca330440c38b6cce6f868fb.exe
    "C:\Users\Admin\AppData\Local\Temp\dfaf8bf5dca330440c38b6cce6f868fb.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\muieh.exe
      "C:\Users\Admin\muieh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1600

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\muieh.exe
          Filesize

          144KB

          MD5

          b6ed76130a89efecd22db774e7f6a7a0

          SHA1

          689bc1e37f679134214f9f0d25f41a9e7ba06391

          SHA256

          99e107d48583d4af9e27aece4f500d7a327cc3bccd44a504f2bb89a356a4d405

          SHA512

          0b5c37fdedc7ec6a5e0532e2fa7fe64db5adbccf3a2535c7fc490ff69e19ab06852e91581aa03a3b9c56d325b57ef0e7f6d108cef63d07a0de8184aa5e685938

          Download Submit