Overview

overview

10

Static

static

7defc8cea1...ee.exe

windows7-x64

7defc8cea1...ee.exe

windows10-2004-x64

Analysis

  • max time kernel
    105s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 01:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

  • Size

    96KB

  • MD5

    8b7998d0f4236f4d0bb2c145a27fcf77

  • SHA1

    72a366ce17c86fae0ffe25411f11a6704637f454

  • SHA256

    7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee

  • SHA512

    5ee0e46758a9142debbcb35dc1701c319651d0d4061867f11ce5fd50032cafe109cdec96b476e9aec84d5eaa718d98eb47d35437cdb6b988facb70ec3eca574f

  • SSDEEP

    1536:7mGuD0/OD6fctEwAynAnOQjbQokSrHPHvFHJR+ltYGpMPkjBBPZW8HaYD2BzyAoP:6GlctCDQpSrHvvFHJRP3QBPZW8HhD2Bq

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
    "C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies Internet Explorer Phishing Filter
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1608
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -f -t 10
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1680
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1052

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1608-57-0x0000000075A91000-0x0000000075A93000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1680-59-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

        Filesize

        8KB

        Download