Overview

overview

8

Static

static

9f3c1668ee...37.exe

windows7_x64

8

9f3c1668ee...37.exe

windows10-2004_x64

8

Resubmissions

14-03-2022 17:54

220314-wgxvtaafb4 8

Analysis

  • max time kernel
    4294219s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    14-03-2022 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37.exe

  • Size

    490KB

  • MD5

    3b3a50b242841e1789a919b1291051f1

  • SHA1

    7b74a50352bb16ba94201c8a9e35b3c1d8a9dc8c

  • SHA256

    9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37

  • SHA512

    ee56efff743ace5d667536acc2134d1f8add17cf8c19787e37a0b86d1a12cf975a26e8920cdf5b5941b698fc0fc5d1450852f80afef95de0e84f254433e39e77

Score
8/10
ransomware

Malware Config

Signatures

  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37.exe
    "C:\Users\Admin\AppData\Local\Temp\9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    PID:964
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RUSSKIJ VOENNIJ KORABL IDI NAHUJ.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1128
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RUSSKIJ VOENNIJ KORABL IDI NAHUJ.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:548
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap31507:124:7zEvent21092 -ad -saa -- "C:\Users\Admin\Desktop\RUSSKIJ VOENNIJ KORABL IDI NAHUJ"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{68A141A0-A3C8-11EC-BF0F-C6B032256E8A}.dat
    MD5

    b468b0f61bfa1a83358c77a66fc6dbb3

    SHA1

    8fc4b9a30e39e7791187421543f76214690d0ede

    SHA256

    ae12e17c4b6d416695f059e2cf354c65500e6d2323fe52ec17bb4835b4316d11

    SHA512

    ffd33a022157ffc00ab0b425aef4a55f682f2cb2f0d3c34bd372da906e905998444d2e3e7c41a8d87a2dae6cd9c96fbf35ef357d955dcab29a9f593cefa4e0ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{68A168B0-A3C8-11EC-BF0F-C6B032256E8A}.dat
    MD5

    edea2890e0c428a312e7881eb06ad0c7

    SHA1

    616859aa6335b525a42e47d905eba1df6be6c58c

    SHA256

    5ffff1c0edd03f69cd2f66b2b0610a9c323f9fc67d5974cd7c04bc44795f5d8c

    SHA512

    37f9e7928fabc00eb2c39a5509b7a311b4c30a75283be5c83fb0774c66d5e9e2273fd7b128d97b1387828520a193ac4d6f2b03f5066494530cc17ad1283b78ad

    Download Submit
  • C:\Users\Admin\Desktop\RUSSKIJ VOENNIJ KORABL IDI NAHUJ.html
    MD5

    115563e32e20da5bce091141b11baa7b

    SHA1

    10f644defbc17d72103be3ca8dce5b0411eb60db

    SHA256

    6858c46e0d7096a60c346a66978be8ac2a675f8eb73c362c55c143f8b52fd5b0

    SHA512

    750834111865433886be946f432a4114099c317edf916687dac8c443c400dd5d9e62d0bacfa3e6b143e65ea1db9023f34f56cc574c8cde442aaa55afa22db722

    Download Submit
  • memory/964-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp
    Filesize

    8KB

    Download