Overview

overview

8

Static

static

e499dbd642...71.exe

windows7_x64

8

e499dbd642...71.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe

  • Size

    2.2MB

  • MD5

    01aa30ee7124cc681702987f34aa17d1

  • SHA1

    def4bbfec82aa5e0c1227ed230b110bf7413f9c9

  • SHA256

    e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371

  • SHA512

    c3ecbdd41afeb5a3564eee26553f22d37b7d7413d64a5af815de12eaee0818a9b2d8b0647932dc357156cd8b37007829a63a1cd9e1dfce36ea5766706397c6e9

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe
    "C:\Users\Admin\AppData\Local\Temp\e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\._cache_e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ni.com/rteFinder?dest=lvrte&version=16.0&platform=Win7_32&lang=en
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:524
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    e5347605940b6ccee0e3bdd9e3e792d4

    SHA1

    25c30beaebf340087282a77962848d95ff20476a

    SHA256

    a400d85f284d26f05a6f24bd3692e818a385e32f4f7125b6cc8ac1d8ac5d6d2a

    SHA512

    c62d169affb4b0bd459e52e3df0a76be64f8a1fcb78a3c1b5f9a886898e3465bc0ccdf675d074217b5c18275a19fb02b494fc83349d819128c7e89d289e554aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    15775d95513782f99cdfb17e65dfceb1

    SHA1

    6c11f8bee799b093f9ff4841e31041b081b23388

    SHA256

    477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

    SHA512

    ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
    MD5

    4f914d6a12b48374677859978d3def97

    SHA1

    d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

    SHA256

    eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

    SHA512

    ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    fa5b7b2b649d310e2bcc998155e1fd8a

    SHA1

    1910d828a3e45bf330652edd1243144a7bc242a4

    SHA256

    d7555e14cc5fef8a975e6810d2d779969ca699d0a8d463c111e621438d7593cc

    SHA512

    c0b8b34e6bfc4ab7a8ed8c9edff81149a39da2dc6598b17972591106be3039a84283fefaf8aa5ee41ecdbdb56aace81b5fc2b668748b325e5e45e43e3c1aea07

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    908272540e0870cd304df1beb4dfa550

    SHA1

    1cbab1ab612ef3e58020a06162aa7c60274274fc

    SHA256

    7a8aaa25f82261708e95d9f7ad9e5d96830a11aaef822459feaffdceb54acf8a

    SHA512

    e7794d389f23fe56b573aa3a4add9366096c6b108dd80e5d3c8142a8324d2511206d399e0fc809d0a9e6471533c7dee584f926594a591cf5659a94b73d63d275

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
    MD5

    cb5638030cc179bbfd6f870a27618b84

    SHA1

    b9e9beaa3e7b349436e73c45052b385c2d063133

    SHA256

    b681dd2db2abce222e44c21f74b992a53aae4c269a092884d22f31f66041b66e

    SHA512

    d5443d843f72d3ea76aa918d9007788319e1b06681f057d44792bb953984529dfaaefd27421fa5a5006a8137505d7f04c168cf7c75f250d6ddd46674d1de5f9d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    c667fcfef13ae52bc8a243a125573762

    SHA1

    8b1f611cad0584aefd6f44bac654d129ec7126b5

    SHA256

    7ae6041994e0f67704d3047accebbcb9e43799e70fb503c42d24e1b5a54ab67e

    SHA512

    21af0316a017b0147594e2abcff8c8adc269137424da4cd6267142ac3b131b8b96eacc081bd884f3ffeb7234f8656e9dc5f4f0d5cf3abd807257b3643b413795

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
    MD5

    87c1d12d197eddbd33d96659aab02f67

    SHA1

    380ca47a18e45de5449726ff3114739d348533d8

    SHA256

    25ce6e920a57b685916b361c114abf0a295fe1873e14c1374f229e270b4d1a94

    SHA512

    5fba2c40ae34bfd55b61811ec0393fb0d98da1c5a942296fa8aeb0cdeb20dd9002a2fc93b742c6fd14bd6d4f3fa907a0d4e70b80371c790891659476bbb1bf46

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\._cache_e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe
    MD5

    a774850a62829ce6b354c9d75d1ae525

    SHA1

    f492399ce5b9f8de93d09ed8ed3627cd2b02239e

    SHA256

    ccd0c4a28d64f8cb802c6508caab60cfe92c9b0856840aa2b2334ece002e3a76

    SHA512

    a3af33dbb30262a13057f5b1623665d92e0d8c20f8ffa03cbda8b475ea6e35bf0b41bec32345cdb6f89e3d495c0d6dade597e98cc653c09211771c4eb92bf758

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KS1OZ5NJ.txt
    MD5

    99c97c547d5e7fd236bdfebd8f341be0

    SHA1

    5ff55ac4332b6897c97b86040cd8ab90324fdb0a

    SHA256

    07ca818b3d39100de61c65e7c456584fe0b6eefe4f670f05bda7bff4b10ffa2f

    SHA512

    c8d2dda2eb103b12b4f99b06cfcfe2cb5f3e916700448d89e755dd1467187a74712b147084a5ae5cc04f196a0a731e831d5d237735e94fe6861eba94cb1c7bba

    Download Submit
  • \ProgramData\Synaptics\Synaptics.exe
    MD5

    e5347605940b6ccee0e3bdd9e3e792d4

    SHA1

    25c30beaebf340087282a77962848d95ff20476a

    SHA256

    a400d85f284d26f05a6f24bd3692e818a385e32f4f7125b6cc8ac1d8ac5d6d2a

    SHA512

    c62d169affb4b0bd459e52e3df0a76be64f8a1fcb78a3c1b5f9a886898e3465bc0ccdf675d074217b5c18275a19fb02b494fc83349d819128c7e89d289e554aa

    Download Submit
  • \ProgramData\Synaptics\Synaptics.exe
    MD5

    e5347605940b6ccee0e3bdd9e3e792d4

    SHA1

    25c30beaebf340087282a77962848d95ff20476a

    SHA256

    a400d85f284d26f05a6f24bd3692e818a385e32f4f7125b6cc8ac1d8ac5d6d2a

    SHA512

    c62d169affb4b0bd459e52e3df0a76be64f8a1fcb78a3c1b5f9a886898e3465bc0ccdf675d074217b5c18275a19fb02b494fc83349d819128c7e89d289e554aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\._cache_e499dbd642fc2fb8dc4db16dd6d2a99fc1397d6fe6fe9b644751f2ec4178f371.exe
    MD5

    a774850a62829ce6b354c9d75d1ae525

    SHA1

    f492399ce5b9f8de93d09ed8ed3627cd2b02239e

    SHA256

    ccd0c4a28d64f8cb802c6508caab60cfe92c9b0856840aa2b2334ece002e3a76

    SHA512

    a3af33dbb30262a13057f5b1623665d92e0d8c20f8ffa03cbda8b475ea6e35bf0b41bec32345cdb6f89e3d495c0d6dade597e98cc653c09211771c4eb92bf758

    Download Submit
  • memory/524-72-0x0000000000000000-mapping.dmp
    Download
  • memory/804-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-69-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1956-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-61-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-59-0x0000000076281000-0x0000000076283000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2040-63-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download