Static

static

10

Win7: 5min timeout

windows7_x64

7

Win10: 5min timeout

windows10_x64

8

Analysis

  • max time kernel
    224s
  • max time network
    249s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-12-2020 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe

  • Size

    425KB

  • MD5

    8e2ccd9284e09ccc4e9eef325a83b435

  • SHA1

    7710f609e7623a08f0dd7cb8fae1ff38d0c729ef

  • SHA256

    3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824

  • SHA512

    9827bdb32c04127ee0ccc41be9c84df40e7d2aa30c68dc9f9e5bfabcd920478884bbec0f3f8ddcbe5fba2eafafa3437b37af161d59fc39daa92202e2f884247f

Score
7/10
spyware

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
    "C:\Users\Admin\AppData\Local\Temp\3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    PID:1824
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1760
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    a7399c28a49b723780edd82de862171a

    SHA1

    f047f0f71579e04a242d35cebb885f65864913bf

    SHA256

    95844858be75594d92a0bfac364f51fd2c05b4eb24dc861828e33af5b146dc0a

    SHA512

    6116eb44ccfca5270a25497e8af79c8fe46f2b39456f2a7e69c91bfe4858437c9687dfc6fe0515a920cb69a7752d2a39dec32010bd32d4c4a9fab54042a3bac0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    a7399c28a49b723780edd82de862171a

    SHA1

    f047f0f71579e04a242d35cebb885f65864913bf

    SHA256

    95844858be75594d92a0bfac364f51fd2c05b4eb24dc861828e33af5b146dc0a

    SHA512

    6116eb44ccfca5270a25497e8af79c8fe46f2b39456f2a7e69c91bfe4858437c9687dfc6fe0515a920cb69a7752d2a39dec32010bd32d4c4a9fab54042a3bac0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    a7399c28a49b723780edd82de862171a

    SHA1

    f047f0f71579e04a242d35cebb885f65864913bf

    SHA256

    95844858be75594d92a0bfac364f51fd2c05b4eb24dc861828e33af5b146dc0a

    SHA512

    6116eb44ccfca5270a25497e8af79c8fe46f2b39456f2a7e69c91bfe4858437c9687dfc6fe0515a920cb69a7752d2a39dec32010bd32d4c4a9fab54042a3bac0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZM4KV2RG.txt
    MD5

    c0c56072924249424165f00f7375aa98

    SHA1

    7a6362141edd5220b1700d2e978dc74e0d0b8acf

    SHA256

    ebabcd7b034179145c1d93072c90a2f855dbb4f792d6f145c155095430d60f62

    SHA512

    1fd055b0f6650c1cf1d31d9c45b2f6db426cfe3fa6651a89d5aee9452555a757a8ea77cd718f6fb4196d64ec1fb76f0c3af0eb40f5e3f9c0d4fbc774394519fd

    Download Submit
  • C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    a7399c28a49b723780edd82de862171a

    SHA1

    f047f0f71579e04a242d35cebb885f65864913bf

    SHA256

    95844858be75594d92a0bfac364f51fd2c05b4eb24dc861828e33af5b146dc0a

    SHA512

    6116eb44ccfca5270a25497e8af79c8fe46f2b39456f2a7e69c91bfe4858437c9687dfc6fe0515a920cb69a7752d2a39dec32010bd32d4c4a9fab54042a3bac0

    Download Submit
  • memory/432-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1904-2-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp
    Filesize

    2.5MB

    Download