Overview

overview

10

Static

static

8

52fa119750...98.exe

windows7-x64

10

52fa119750...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 03:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98.exe

  • Size

    966KB

  • MD5

    6771ab57f16fb119e7faad8b5ded4bdc

  • SHA1

    12fdb11ef12990764acb5c7a2c21d7ec0f26092b

  • SHA256

    52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

  • SHA512

    b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

  • SSDEEP

    3072:CNnqDxIGX/9nDiG7t6yCAti1zxGJidD5iYAHg4Cs7lJgxwL0out:CNnxKL0oS

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98.exe
    "C:\Users\Admin\AppData\Local\Temp\52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Users\Admin\E696D64614\winlogon.exe
        Error 448
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1880
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1268

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
          Filesize

          2KB

          MD5

          1c626eac6241b02b0082a76f150a3a8a

          SHA1

          b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858

          SHA256

          412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69

          SHA512

          8550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          60KB

          MD5

          6c6a24456559f305308cb1fb6c5486b3

          SHA1

          3273ac27d78572f16c3316732b9756ebc22cb6ed

          SHA256

          efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

          SHA512

          587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          Filesize

          1KB

          MD5

          48e98893438d04fa64bb49bbdafbf960

          SHA1

          e28578281fc80cb97275a94aa0e9da0db8285b87

          SHA256

          2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

          SHA512

          9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
          Filesize

          488B

          MD5

          a521a648a90493cfea260c6616df6c3a

          SHA1

          404f2bd59e5f4604e2eee06b80796ad0964db2f1

          SHA256

          46f0134873f714a81a0bc6e9b5dbd827c0a6f00fdeee3e192b9ffcf02adb13ba

          SHA512

          8297859028496ebcfe47f95f1d0beadefa9527d4a37988c5556bb75d428a2cd04855ad249503a169941bae6d3e9150dc0bca1ebc247788d4b07fdbfcef629526

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          769f48e26c8ca45b89c4562f0657ed87

          SHA1

          74e8f85dfd73ad0c1660430aa36da0093687d303

          SHA256

          f1a801c58d479adf25481fad1cbb29bab553c0dac83e148dafc0218be4949ae1

          SHA512

          f1b4f23ddb998ef5f0316923d1049b9ef38ffccf6126214ae722ba327b5a320b2ab7d255278d24c60124c0d485a0dd32fc975b5579aa0fcf8c31fcc07ea82281

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          Filesize

          482B

          MD5

          876fb1b96dbe98a1e5532caa45769110

          SHA1

          1888111dd4e90fc85c3864ebd57eb75958be0d0b

          SHA256

          ab9da99be85d3f50948c16b0dc1183aa6ed3a78433d74cdd31b2c977e81834b9

          SHA512

          8eea04d36a46857d35f0554d2cf94be90eb13d0adaed55507ac95f1016a7cbb2177c724e13a3348c83084b4c6423b1959850883111f7790d935e8228859ed05e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QMDCH341.txt
          Filesize

          97B

          MD5

          dfd2e2209d616cff823479f68772b0f0

          SHA1

          86b4383c32c7589159e2ae18fe612facc1a4b0f9

          SHA256

          0afa7dcd01e1407a0b2085b0f88043dac0f4c5d80991ed1640bceff9348341dc

          SHA512

          53f8e363c3456abb7b80b24cd8f6cb52403eb79cce6c136a7a3df87ade959249065e4637b9c961883fd22ba4482327d3176ffe6b52063d6bfd45af8e4ba14f68

          Download Submit

        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          966KB

          MD5

          6771ab57f16fb119e7faad8b5ded4bdc

          SHA1

          12fdb11ef12990764acb5c7a2c21d7ec0f26092b

          SHA256

          52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

          SHA512

          b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

          Download Submit

        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          966KB

          MD5

          6771ab57f16fb119e7faad8b5ded4bdc

          SHA1

          12fdb11ef12990764acb5c7a2c21d7ec0f26092b

          SHA256

          52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

          SHA512

          b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

          Download Submit

        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          966KB

          MD5

          6771ab57f16fb119e7faad8b5ded4bdc

          SHA1

          12fdb11ef12990764acb5c7a2c21d7ec0f26092b

          SHA256

          52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

          SHA512

          b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

          Download Submit

        • \Users\Admin\E696D64614\winlogon.exe
          Filesize

          966KB

          MD5

          6771ab57f16fb119e7faad8b5ded4bdc

          SHA1

          12fdb11ef12990764acb5c7a2c21d7ec0f26092b

          SHA256

          52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

          SHA512

          b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

          Download Submit

        • \Users\Admin\E696D64614\winlogon.exe
          Filesize

          966KB

          MD5

          6771ab57f16fb119e7faad8b5ded4bdc

          SHA1

          12fdb11ef12990764acb5c7a2c21d7ec0f26092b

          SHA256

          52fa119750136bb728653993890fa73eff227769b42e861656977777a5bada98

          SHA512

          b188d3abd664ad83021707b7ba8c752dd475137c9a491ed0c28180229c9fb09666b56c2a8c44ad348c55b50a6dd0d80a07e673f13eaf6973964959a5b848c308

          Download Submit

        • memory/952-66-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/1808-62-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/1808-56-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/1808-57-0x0000000076171000-0x0000000076173000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1880-68-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1880-73-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1880-72-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1880-83-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1880-84-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download