Analysis
-
max time kernel
97s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
28-09-2022 09:11
General
-
Target
6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe
-
Size
117KB
-
MD5
083b5b2003bc9b2c4cd423b086ad5265
-
SHA1
9fff262f74d9ecf446eabbb2e9136f1bd6c521d4
-
SHA256
6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc
-
SHA512
23999df69b89b2ead229daddbb4d76637c42e7db6b004401f10631fcfe437d40e70af18a92b7d8105610568f6311f9899398aec6296a74a3a932f8d1fdacdcc5
-
SSDEEP
1536:zPFAoF9649rqWOQMg7AQxfrtJlIactudzEIe7nii2nf4ljawM/0ZAmhQuz:Dx64CrsnxWhudIzioaz/YQuz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 53 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe"C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exeC:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96052E01-3F0D-11ED-A20B-4279513DF160}.datFilesize
3KB
MD5f17f992d9d6cc3f8f9605385025c427c
SHA19333b3bcb069a9ccb5c87c7d126839e86fa76fe4
SHA2567a11c4676706939b35c1d2daf042ab2fd9189641ce4a0f4e6dc7f06005dddea7
SHA5128844007510cbc5182a5162ef9bc2c137265f878cc820fd6583af3099ec5e2cfeb4e0753f9910a7fd9b22792200afd7479e5e32e41ca4e5260f9c244c45d2c19a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96068D91-3F0D-11ED-A20B-4279513DF160}.datFilesize
3KB
MD596c98723c7aa7f082c53406472ee60c4
SHA1c5b8fe2a619c05caeff1f2516510b855893e4536
SHA256621604816aab9a1c83b17904469719af2a9f94ef23387a6e2e6c484b1af510fb
SHA5125d7b62adb59ebcbd99583d5f7c0815a758d6e03feabd69d2bee8bd18d4dd4b0584af59117a72f3fdd2587e3c210f492cab280fc85e37acd3595fcf0b9dd757e3
-
C:\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exeFilesize
105KB
MD53235c81e22fad625ce09ae351091f7cc
SHA11a670de8ab6014928459f0c1631db644f7d7526e
SHA25685d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6
SHA51295797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T0NUVL6M.txtFilesize
603B
MD5db3eae449bd214077434096b2775e3af
SHA117ddd62a034415a9d8d2ad77dc665aaafa04191b
SHA2569576274ea60d5472a94e8b46d47250480bc358fdf346c5c541bb779b42ee2aa5
SHA5124cca37cecfc9146078e54ed2cd54979e57d6f2ebecacc0209f6208981b8ce568530e88abbbb7e058c7d66b55e3309c04042603ac7d854f49862559b6d22e58f9
-
\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exeFilesize
105KB
MD53235c81e22fad625ce09ae351091f7cc
SHA11a670de8ab6014928459f0c1631db644f7d7526e
SHA25685d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6
SHA51295797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b
-
\Users\Admin\AppData\Local\Temp\6969c45198338d2677fd4d30c7a374a1c56d35e8e062110e4679d1f9aefa26dcmgr.exeFilesize
105KB
MD53235c81e22fad625ce09ae351091f7cc
SHA11a670de8ab6014928459f0c1631db644f7d7526e
SHA25685d274964f8e3cba910a4922bdbdc0ed3b064c0045db18c85d8d2a853d00e7a6
SHA51295797149ba60dc13795798549d566f309796ac7daad849c5295516855f53617c92e29a119d93a5da87d50a16d6a34308b3b0b0d0b3974b899fe2f21ca83f041b
-
memory/980-57-0x0000000000000000-mapping.dmp
-
memory/980-64-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/980-65-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1696-62-0x00000000000F0000-0x000000000014D000-memory.dmpFilesize
372KB
-
memory/1696-63-0x00000000000F0000-0x000000000014D000-memory.dmpFilesize
372KB
-
memory/1696-61-0x0000000000340000-0x0000000000361000-memory.dmpFilesize
132KB
-
memory/1696-66-0x00000000000F0000-0x000000000014D000-memory.dmpFilesize
372KB
-
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB