Overview

overview

8

Static

static

47bcda5c1f...e1.exe

windows7_x64

8

47bcda5c1f...e1.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    53s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe

  • Size

    27KB

  • MD5

    cb1814f943f708d032b7587a858390e9

  • SHA1

    e94f6b03ab0e81497c15898f47e3a1395356b50f

  • SHA256

    47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1

  • SHA512

    edbdcf77c6005cc716a0cc99223cdaaac3dd96debfa60f507ae670f598e8d34cc2d9fa985c4edd24eb59c633634c29c2fda6d56a32493be82c6d27b05177066b

Score
8/10
evasion

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe
    "C:\Users\Admin\AppData\Local\Temp\47bcda5c1f05dabceb6c20797ad6501a0494628f1b7266a7264348eacf22d6e1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F2F7.tmp\Sendable Virus.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\net.exe
        NET SESSION
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 SESSION
          4⤵
            PID:2000
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
          3⤵
            PID:1996
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im explorer.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://www.roblox.com/--item?id=92726221
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1740
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\opendisk.vbs"
            3⤵
            • Enumerates connected drives
            PID:1228
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbox.vbs"
            3⤵
              PID:112
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x4f8
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1352

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          60KB

          MD5

          b9f21d8db36e88831e5352bb82c438b3

          SHA1

          4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

          SHA256

          998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

          SHA512

          d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          304B

          MD5

          29bb05f895276e5a9a9e9be7958d1834

          SHA1

          9c87c510109d59a169ea6e015e210cb25c41e7a5

          SHA256

          8e19b9bd7c65ecc466cc2655f5f80ff25eeebe22d5a22954ffe1d410a15a1f96

          SHA512

          d6c806ef8d9a5dcbd6981a7bfae764d2c5eca90f5a9a958c58cd5ba3e70ac3a4c899ece28c3370630a5bd0977e650165b46bbd0e3ab2429725db75a7a2135179

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F2F7.tmp\Sendable Virus.bat
          Filesize

          9KB

          MD5

          6341e2b6cc6ffbdd6c0c336d6509ba9a

          SHA1

          63c360fb605b30c13aae5ab9eac6349f0b80cadd

          SHA256

          73f08a5f5ecf882ac778525e206808126740864bdd2759dd2b02803b8053d6af

          SHA512

          9081740c8a9a72322a50341d17e232c10a626fd41ddbc0f835ba58b4f7fc52b85bfb4c7407b7cdb0ee90513275485647d76bc22867816b1acf3e1ac05def8e67

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\msgbox.vbs
          Filesize

          89B

          MD5

          7381f78df6c2dbf25897c1b8e5ec2b43

          SHA1

          781da509fa801ca5d8077760f7496baf70a7a56d

          SHA256

          1b88a7b9a6c92560134f28b3a6f20368f5427a010c05d5b11a028ae3add6daee

          SHA512

          6636f8113776c96bdca112a1badcf79a90ea6adfc1d0a6da4c2a1b2d1e1af8625745633ddae64ec7cefd08e6243ef88f494220c0d08dd5612d693b772982af60

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\opendisk.vbs
          Filesize

          150B

          MD5

          673c512ec9af60c105943e3ba19faf51

          SHA1

          e7fe0263a97aec3c2d4043a5aa311962cf8766ec

          SHA256

          aec339e8f195ff6943f64f6ca57b022a670a0a5189d82925bde181d434128080

          SHA512

          041af250bc25324fba28c2b7f71436f6686447f6a9d1988906d2eae4cbac189232a50c63481e881896691dbbad632b814bad521d0de316dc29fdedec861406ee

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4OVBHTZD.txt
          Filesize

          605B

          MD5

          ee929d5c88c462b6aabc618047ef074a

          SHA1

          d9e2cf6182d4de020b941e8b044bc2f18644e1ef

          SHA256

          16309be632a43c9938973d0bab3080bfc2bf082ccd4238446a4cb15a3f2cf290

          SHA512

          eec9ec56004737e2f4cffad690953d78d664e83aec9b837a6597ce02aea259c7850e5021aec658fe0a19e3ace9b797aa11cf8aaadb72dccd19733925321eb087

          Download Submit

        • memory/112-64-0x0000000000000000-mapping.dmp

          Download

        • memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1228-62-0x0000000000000000-mapping.dmp

          Download

        • memory/1920-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1996-59-0x0000000000000000-mapping.dmp

          Download

        • memory/2000-58-0x0000000000000000-mapping.dmp

          Download

        • memory/2008-60-0x0000000000000000-mapping.dmp

          Download

        • memory/2032-55-0x0000000000000000-mapping.dmp

          Download