Overview

overview

10

Static

static

dcf022c83d...10.exe

windows7_x64

10

dcf022c83d...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910.exe

  • Size

    3.7MB

  • MD5

    dcab6a3b553a1bce6c3202ba1d5b60bb

  • SHA1

    89c7c300b75e288247dc767748934beacf44c62e

  • SHA256

    dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910

  • SHA512

    0143699c3600484dcce96d056c7bf6891e6fd9e8cc7e0a88aee350b49e257fbb7cae2028174ce1e2cf5f10bf8fed870101db5c745b670a8716a397e2c988489d

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910.exe
    "C:\Users\Admin\AppData\Local\Temp\dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910
      2⤵
        PID:1996
      • C:\Windows\SysWOW64\msng.exe
        "C:\Windows\system32\msng.exe" fuckystart
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe http://www.OpenClose.ir
          3⤵
            PID:2004
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:956
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.openclose.ir/
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1780

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Hidden Files and Directories

      1
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Hidden Files and Directories

      1
      T1158

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7930V9JE.txt
        Filesize

        603B

        MD5

        6fbba744cb44f366ae3524ad4d3f40d8

        SHA1

        74717607ed419c31a01eaf5ace055381b4209924

        SHA256

        af80c66430543b6a5fc3cac2670abf5efced90761d557ec99293dd3158ec8f2d

        SHA512

        31301d7d2dcd8e46e305420ad57eb6281eff01a9499cc08bd6cdfe20bd6202103d193d89add0869554162d1d19939e554d46854b0759f4dffed9d6c7c3c729c3

        Download Submit
      • C:\Windows\SysWOW64\msng.exe
        Filesize

        3.7MB

        MD5

        dcab6a3b553a1bce6c3202ba1d5b60bb

        SHA1

        89c7c300b75e288247dc767748934beacf44c62e

        SHA256

        dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910

        SHA512

        0143699c3600484dcce96d056c7bf6891e6fd9e8cc7e0a88aee350b49e257fbb7cae2028174ce1e2cf5f10bf8fed870101db5c745b670a8716a397e2c988489d

        Download Submit
      • C:\Windows\SysWOW64\msng.exe
        Filesize

        3.7MB

        MD5

        dcab6a3b553a1bce6c3202ba1d5b60bb

        SHA1

        89c7c300b75e288247dc767748934beacf44c62e

        SHA256

        dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910

        SHA512

        0143699c3600484dcce96d056c7bf6891e6fd9e8cc7e0a88aee350b49e257fbb7cae2028174ce1e2cf5f10bf8fed870101db5c745b670a8716a397e2c988489d

        Download Submit
      • C:\~0002ftd.tmp
        Filesize

        100B

        MD5

        62bc1d702b4a69f188b417bb1dcbd11b

        SHA1

        6ab82d05924aeff05d00cd54bf152276875195b3

        SHA256

        7187fd637a29523b57e83824c2de1fbce670abe5c38f620da681acd177076887

        SHA512

        e0c814701a6f1b43820154bed493ddefd804bfbcd64469e86a2ae7d1bcdb2cae2192e1a355045791dec2397e62f8d24fecf42c71b67eda5fc2b728291be8ccf8

        Download Submit
      • \Windows\SysWOW64\msng.exe
        Filesize

        3.7MB

        MD5

        dcab6a3b553a1bce6c3202ba1d5b60bb

        SHA1

        89c7c300b75e288247dc767748934beacf44c62e

        SHA256

        dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910

        SHA512

        0143699c3600484dcce96d056c7bf6891e6fd9e8cc7e0a88aee350b49e257fbb7cae2028174ce1e2cf5f10bf8fed870101db5c745b670a8716a397e2c988489d

        Download Submit
      • \Windows\SysWOW64\msng.exe
        Filesize

        3.7MB

        MD5

        dcab6a3b553a1bce6c3202ba1d5b60bb

        SHA1

        89c7c300b75e288247dc767748934beacf44c62e

        SHA256

        dcf022c83dd3090ab93d331fadb4c145bed3323aba1e10e68caf0969b24c5910

        SHA512

        0143699c3600484dcce96d056c7bf6891e6fd9e8cc7e0a88aee350b49e257fbb7cae2028174ce1e2cf5f10bf8fed870101db5c745b670a8716a397e2c988489d

        Download Submit
      • memory/956-68-0x00000000039C0000-0x00000000039D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/956-67-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1528-56-0x0000000074DC1000-0x0000000074DC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1996-63-0x0000000074591000-0x0000000074593000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1996-57-0x0000000000000000-mapping.dmp
        Download
      • memory/2004-71-0x0000000000000000-mapping.dmp
        Download
      • memory/2004-73-0x00000000747B1000-0x00000000747B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2008-61-0x0000000000000000-mapping.dmp
        Download