Overview

overview

8

Static

static

5d63b83758...18.exe

windows7-x64

8

5d63b83758...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18.exe

  • Size

    45KB

  • MD5

    ad090589116ae6ba1efb9d09ec7fb098

  • SHA1

    f9efe2e2591204800787907583a88b2a87348b49

  • SHA256

    5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18

  • SHA512

    37572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18.exe
    "C:\Users\Admin\AppData\Local\Temp\5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18.exe
      C:\Users\Admin\AppData\Local\Temp\5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18.exe
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" http://www.facebook.com
        3⤵
          PID:1572
        • C:\Windows\msnmsgrss.exe
          "C:\Windows\msnmsgrss.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\msnmsgrss.exe
            C:\Windows\msnmsgrss.exe
            4⤵
            • Executes dropped EXE
            PID:1396
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.facebook.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      9de0f82c7a16fc6113f3d2324701cd8b

      SHA1

      1d5d2dd9ebbf68eac0e94dcb4005f3ec3f45c97d

      SHA256

      6be8cbf3b0608e576b15ca5519a2e54ed22a0ae8fd335714ddab681fc889a5a7

      SHA512

      0abce989cb76fb1ba1d4ec7e769f0e36ff5e654bf24b1aa4a5e51e1f45d0bec09dd13df7261aa0422642d4901ad0b540fbf90e620d2ec8ff0ed6979eb92b304e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3uhj3kn\imagestore.dat
      Filesize

      11KB

      MD5

      10457677fc5b7af39a2f8f800e3c2563

      SHA1

      61aa2744929fad1c60d6633af8932bd8b3f144f6

      SHA256

      b6a36136f505f94c5618d45ab689ecb66ffa5def1a6feca692e3932a6a78010a

      SHA512

      574b27439ccac920ec6ded9ba94fdd5cb707ed7e5a7b86f92d3b2f79d86b6cd93edca355ce794205c48131105901c433f69d8903563367548621c54b328debb0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KWR5JGZC.txt
      Filesize

      605B

      MD5

      cfbbdad481382ac91b4294e7e6737255

      SHA1

      8652ee37030b5c7f41acebe9f59bcc66f3ba960d

      SHA256

      521a06454657862e7ae47631773ebeeb4d0b2673895fb329d8718dfe4d4a82ae

      SHA512

      560a9246605958c0b2388b721cd52770f91507c757c0afd58b83e3a44bd345bd0cb6768c01a0d6044ffc8c1fc570bf0a6f0384eefef1a30b460a1d48ebfdfb86

      Download Submit
    • C:\Windows\msnmsgrss.exe
      Filesize

      45KB

      MD5

      ad090589116ae6ba1efb9d09ec7fb098

      SHA1

      f9efe2e2591204800787907583a88b2a87348b49

      SHA256

      5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18

      SHA512

      37572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3

      Download Submit
    • C:\Windows\msnmsgrss.exe
      Filesize

      45KB

      MD5

      ad090589116ae6ba1efb9d09ec7fb098

      SHA1

      f9efe2e2591204800787907583a88b2a87348b49

      SHA256

      5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18

      SHA512

      37572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3

      Download Submit
    • C:\Windows\msnmsgrss.exe
      Filesize

      45KB

      MD5

      ad090589116ae6ba1efb9d09ec7fb098

      SHA1

      f9efe2e2591204800787907583a88b2a87348b49

      SHA256

      5d63b837589720da7e45a9cff617488eb1e29a39e7ec23de28d495a799d4fc18

      SHA512

      37572a0131d2d3910fd8bca4bf35982626d61fb0c5ab442c002607fc0c3a312e29f9f571b70faa5e7d8e86ce471b4ad724b7fe1e2f24892ca623de391476e2b3

      Download Submit
    • memory/1000-60-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-64-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-65-0x00000000763E1000-0x00000000763E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1000-63-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-61-0x0000000000405232-mapping.dmp
      Download
    • memory/1000-84-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-58-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-57-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-55-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1000-54-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1396-83-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1396-87-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1396-77-0x0000000000405232-mapping.dmp
      Download
    • memory/1572-85-0x0000000074C91000-0x0000000074C93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1572-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-86-0x000007FEFC211000-0x000007FEFC213000-memory.dmp
      Filesize

      8KB

      Download