Overview

overview

9

Static

static

97f26035c4...db.exe

windows7-x64

9

97f26035c4...db.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 13:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe

  • Size

    257KB

  • MD5

    6c223895ea905ce600d0181250f29b39

  • SHA1

    6f5f13a5ea5c383c7531786e5ded485ba80b6303

  • SHA256

    97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb

  • SHA512

    3a588cef72037a160a54f6ac82d24d258dfb71485881f87a3e654996509373d1d3b970757dbdecd0bf5296f6662e463551d50941ef25bf833cecfad3501368c3

  • SSDEEP

    3072:Oxd5qdyipX2MB46XN0MKFkAFXrKnYhbwIz3qsuegTqAxMJSvbYjAo6fEuOHCBIv/:Oxdo3cMBrARnhbwIz6sOHiJob6AFdq

Score
9/10
evasiontrojanupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Blocklisted process makes network request 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 21 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe
    "C:\Users\Admin\AppData\Local\Temp\97f26035c413ecce80e0c77e78f9881f93f8fa46b8c3d73c8ab3b52ee4b38ddb.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysTem32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 944
        3⤵
        • Program crash
        PID:4236
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3940
      • C:\Windows\system32\RunDll32.exe
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:4024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4740 -ip 4740
    1⤵
      PID:3836

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            520071a63bb5e2038486cd0ce14055b1

            SHA1

            752cfb61bbe3ae1e2c2609c53aeee510661a59ed

            SHA256

            f8a989e9cf1fe0f0000c795537122a3c727e3b570b66582bfb62d9bbae4b20f8

            SHA512

            6f0131c9e0943c6a13d52a7525e1c592c95db868bf2dd21a8a37254150a239748985cc31518d0c4844bebfc5613feee6857b5debfbbbd6ed4539cd5e494ebbb2

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            417f24c08a23795bef51ab50d45b7d2a

            SHA1

            dd6e565e168963050a4568b07766cb3121113bd2

            SHA256

            bd4849763e0347a43aeecc927daa9290256bbbcd579ba89cb17cc27d6fc4196d

            SHA512

            da2213265370faac37be45f9a6e0f99d0c79ae5d6da31125fd4e0f4dc1c17f77621e88fca39bc2177c933d8e3e99785b1b5fb75dc642f9cf05dd26583725d3e1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl
            Filesize

            57KB

            MD5

            3b8daad17fc3576b7ce42bd8e88eb40f

            SHA1

            de9610ea1cb66036241155b678696099cb2816dd

            SHA256

            23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

            SHA512

            77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl
            Filesize

            57KB

            MD5

            3b8daad17fc3576b7ce42bd8e88eb40f

            SHA1

            de9610ea1cb66036241155b678696099cb2816dd

            SHA256

            23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

            SHA512

            77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl
            Filesize

            57KB

            MD5

            3b8daad17fc3576b7ce42bd8e88eb40f

            SHA1

            de9610ea1cb66036241155b678696099cb2816dd

            SHA256

            23dbd9d60a2c06a3d47b9abbe7800ce0e3d067e373724c175049aeb853fddd0c

            SHA512

            77573a6b6ba7ab46129f5191dcf9e204484dfa012a59ac5536aa7f74f63f6bee8213a36e0603ca4a836be9f983941444db2ef73573435e122dd1fea35fac593a

            Download Submit

          • memory/4024-140-0x0000000000010000-0x000000000003C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/4740-135-0x0000000000010000-0x000000000003C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/4740-136-0x0000000000010000-0x000000000003C000-memory.dmp

            Filesize

            176KB

            Download