Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 05:33
General
-
Target
ppdjdafasqfz_gr/???????????6.06.exe
-
Size
1.9MB
-
MD5
189e90af285ac23f7c7e613455e78e43
-
SHA1
7353341eb1cdea65e69be679bd5d00c7faf9d63e
-
SHA256
fa640ccad7e977a775f19e69a317d07c163f9dce07a2e984d45f3579eefb4f30
-
SHA512
3702ed7e63d9bb0497e84e50e98309cc5d38032f2c0663d1d2b80bf78d3027cbe7f85bb52c7864d96262c9df96f32f02d54ec19877188054e721310d0a8f5353
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ppdjdafasqfz_gr\___________6.06.exe"C:\Users\Admin\AppData\Local\Temp\ppdjdafasqfz_gr\___________6.06.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?k529109692⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD526cf006188d29c9e576cf0060bbb6eec
SHA1dd4782cdcfbebffafeb3a99d0c5a5269ec7107d2
SHA2566e5761ed9dfc9e14308029c3c1e3e1b9c751bbf9f668a4f32d0d8b261fd6377f
SHA5122ead9377be1eb688a8687147d038aa4b510b70d40f9a610cd4fcb237e004661d4f10cf6ce3dfd38846db0cf9d6cb86719688486f9319479d7405a48e4da4b2c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V517UX9G.txtFilesize
603B
MD5f0ea9163af20737c29854e0a1f294ab5
SHA15a0a87af67bed8d24525af43ef9179e28b880c69
SHA256b2e8562535b1245c34d05b80a5ad0b364292ec3cc9adeec9ebe55b76109fd10d
SHA512500daf6f8b55ea1a5d01d2ff3ef8fc6e8150f0fb9663b17fb52341f77616ab52c5e85119c571211d8d09374f36b18e8209d16f2e17b08740b95f394bd65177d2
-
memory/684-54-0x0000000000400000-0x0000000000884000-memory.dmpFilesize
4.5MB
-
memory/684-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/684-56-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/684-57-0x0000000000400000-0x0000000000884000-memory.dmpFilesize
4.5MB
-
memory/684-59-0x0000000000400000-0x0000000000884000-memory.dmpFilesize
4.5MB
-
memory/684-58-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB