Overview

overview

10

Static

static

3ec149660a...da.exe

windows7_x64

10

3ec149660a...da.exe

windows10_x64

10

Resubmissions

28-01-2022 12:16

220128-pflylaccar 10

22-01-2022 08:05

220122-jyv2bsaddr 10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ec149660a6808f711ca6cb6b20c1dda.exe

  • Size

    658KB

  • MD5

    3ec149660a6808f711ca6cb6b20c1dda

  • SHA1

    45c3d1d8dd512c01fd6c897c67b35c13c49828cb

  • SHA256

    2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d

  • SHA512

    3a15e7bfbabeb296001086453320a133dc242ef170ccf45d459d2a7f402fadfe3329099d79b368416d565ba0c16eb051b64fe7b756c21f822ab49ec483b5649d

Score
10/10
suricata

Malware Config

Signatures

  • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    suricata
  • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    suricata
  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    suricata
  • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    suricata
  • Executes dropped EXE 4 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ec149660a6808f711ca6cb6b20c1dda.exe
    "C:\Users\Admin\AppData\Local\Temp\3ec149660a6808f711ca6cb6b20c1dda.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Public\Videos\1643375786\7zz.exe
      "C:\Users\Public\Videos\1643375786\7zz.exe" X -ep2 C:\Users\Public\Videos\1643375786\1.rar C:\Users\Public\Videos\1643375786
      2⤵
      • Executes dropped EXE
      PID:436
    • C:\Users\Public\Videos\1643375786\ojbkcg.exe
      "C:\Users\Public\Videos\1643375786\ojbkcg.exe" -a
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1140
  • C:\Users\Public\Documents\auto\111.exe
    "C:\Users\Public\Documents\auto\111.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\ProgramData\7z.exe
      "C:\ProgramData\7z.exe" x C:\ProgramData\bb.zip -oC:\Users\Admin\AppData\Roaming\Microsoft\Windows
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/436-57-0x0000000076141000-0x0000000076143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1140-69-0x0000000180000000-0x00000001808AB000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/1140-68-0x0000000002140000-0x00000000029B5000-memory.dmp

    Filesize

    8.5MB

    Download

  • memory/1668-55-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

    Filesize

    8KB

    Download