Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 03:16

General

  • Target

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b.exe

  • Size

    72KB

  • MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

  • SHA1

    180c86862cacaee2a95e22395f561470c5233910

  • SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

  • SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • SSDEEP

    1536:KNCJMvSU05Ct8NwAJH7Bs3UHRazKxiH0vrb+cd8nouy8Z:KNiUQCt5Ia3SYPUvriGcoutZ

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 57 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b.exe
    "C:\Users\Admin\AppData\Local\Temp\b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:652
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    60KB

    MD5

    6c6a24456559f305308cb1fb6c5486b3

    SHA1

    3273ac27d78572f16c3316732b9756ebc22cb6ed

    SHA256

    efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

    SHA512

    587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    304B

    MD5

    e18f56a76ced26af2233a99f24f78589

    SHA1

    e6a08518eb88cc901cfa9e5ab22374bb163a6fec

    SHA256

    e400541a3c822f06ca233315128ae041de3cd0f14404474550ac567dcb63dae9

    SHA512

    62783a9fd1faad999bfde46c2130de0f70fe6106ac665b255728d485e42c700c64ad4e22bd468ecf4fda182c82fe4640c6af10bc7e2f5b473311ed5ef538d7bb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    05c663b1160e4724876a58c0e96d633c

    SHA1

    64be8e79970fcf3b58f4c566d5b9bcc89d873464

    SHA256

    5ba563da9de2f8de131f3f579275e7ebb781cb2f0d145736facaba5bb2fc9e00

    SHA512

    c68cb1aa35e03190a50b86352577e1f703229c3a08abfb2661d337e80affbd230aceae0cbf64679b7e49f54c4d1259c332f77b8fec5e310a411f05c2e47840f3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q4JRMC2Q.txt

    Filesize

    603B

    MD5

    7af3f9d5f0ae8a4c96bf8abe34433db5

    SHA1

    a9fc2f6c14a7f836953d4a6dac359e6ec6ddb9be

    SHA256

    5426dfd1c20aea1f4032436299faf6ea02c62dd474abe1e8206b7a621b293828

    SHA512

    483a19f0ccd1f1abfd06cfc5c80e202921fbe6fc23900328abcc8f74e5fa4543370723c5fa2ee671907a59c8c49545d3775b1dcdffa664c47f4365e1c5c0885a

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    72KB

    MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

    SHA1

    180c86862cacaee2a95e22395f561470c5233910

    SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

    SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    72KB

    MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

    SHA1

    180c86862cacaee2a95e22395f561470c5233910

    SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

    SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    72KB

    MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

    SHA1

    180c86862cacaee2a95e22395f561470c5233910

    SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

    SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    72KB

    MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

    SHA1

    180c86862cacaee2a95e22395f561470c5233910

    SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

    SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    72KB

    MD5

    1cb5f8ae4f5fd93d509c5ffcd1a009b6

    SHA1

    180c86862cacaee2a95e22395f561470c5233910

    SHA256

    b9d258d2b195f43645c605af1c7e2d836e03c3b87320a2093d0ba40466c55c1b

    SHA512

    a9eb22587b37dbf5d59a15c7dd80a75e5a2fc79687bf9b55cd9cf6c485acdfbf7dcdca659e8dda90a1ca9a570b13744d2e24ccaa0d3d30323cb2760936e252aa

  • memory/652-68-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/652-72-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/652-73-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/652-76-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/652-79-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1020-78-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/1020-65-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/1980-56-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/1980-62-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/1980-57-0x0000000075981000-0x0000000075983000-memory.dmp

    Filesize

    8KB