Overview

overview

10

Static

static

8

167b598287...a9.exe

windows7-x64

10

167b598287...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    167b598287f786d37092f7b23f5422c1474b6e3d1477194876cde0a38e901fa9.exe

  • Size

    721KB

  • MD5

    4ea22f2e7fc10b58052fbae4c991f230

  • SHA1

    db0ea5ce251e2da19c38f5b07640043e7ceac7d8

  • SHA256

    167b598287f786d37092f7b23f5422c1474b6e3d1477194876cde0a38e901fa9

  • SHA512

    601e9ea446b29678036693f214e4901af0746750fc031ceae8b56a04713bfb7085a22f1bcd773ee02a403294335f437c009e681fd14499209b7718378b263b88

  • SSDEEP

    12288:QUp3EQ6T6jpV3KVMeHf2Jl84yfFr+3p8rkKQr6MCNVkgQpNaQ4ppFJN9IJaXS+:QKTV0TfkOYK1NkgQ3+mJaC+

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\167b598287f786d37092f7b23f5422c1474b6e3d1477194876cde0a38e901fa9.exe
    "C:\Users\Admin\AppData\Local\Temp\167b598287f786d37092f7b23f5422c1474b6e3d1477194876cde0a38e901fa9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TolHG.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java(TM) Platform SE Auto Updator 2.1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2932
    • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
      "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:5008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4348
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:428
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Falaheye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Falaheye.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Falaheye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Falaheye.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2320
      • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TolHG.bat
    Filesize

    173B

    MD5

    0f9512ff58185a551abc4fa80ffde3b5

    SHA1

    eb2df1adbb3504236d2857d8a9c297121c97a95d

    SHA256

    79747cbd0b884c6870d0ab8b90e4b64af598f1c1c97b2eb31c1fc1a1d6128189

    SHA512

    1f7216ce7cd2e1ae6e30c7d6d0f84b3a7a637c6cfe9568a10ffa802b99a832b3e4f45c7bd02cbbe70665e79ea917e7e9ac9a38ceaf469836fb207a47ef52ff3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    76384548f09ea6ab3f593c4233c4e8c7

    SHA1

    e1326c08b6a7a42ce0d98f9f0eb3dbf623e5c657

    SHA256

    e0ea17145352805feaf3f9754c80d49592b17696ab7326452c3a7f11a2c610f1

    SHA512

    a0582942d8d7d44dccdb0ddf2f0561f532265b9be93a7112943e8f10e38537be38d967084d74ef251b5fa49a49af33e09b4f4574fe7a4fb2d86c535264341654

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    76384548f09ea6ab3f593c4233c4e8c7

    SHA1

    e1326c08b6a7a42ce0d98f9f0eb3dbf623e5c657

    SHA256

    e0ea17145352805feaf3f9754c80d49592b17696ab7326452c3a7f11a2c610f1

    SHA512

    a0582942d8d7d44dccdb0ddf2f0561f532265b9be93a7112943e8f10e38537be38d967084d74ef251b5fa49a49af33e09b4f4574fe7a4fb2d86c535264341654

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    76384548f09ea6ab3f593c4233c4e8c7

    SHA1

    e1326c08b6a7a42ce0d98f9f0eb3dbf623e5c657

    SHA256

    e0ea17145352805feaf3f9754c80d49592b17696ab7326452c3a7f11a2c610f1

    SHA512

    a0582942d8d7d44dccdb0ddf2f0561f532265b9be93a7112943e8f10e38537be38d967084d74ef251b5fa49a49af33e09b4f4574fe7a4fb2d86c535264341654

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Java\uninstall.exe
    Filesize

    721KB

    MD5

    76384548f09ea6ab3f593c4233c4e8c7

    SHA1

    e1326c08b6a7a42ce0d98f9f0eb3dbf623e5c657

    SHA256

    e0ea17145352805feaf3f9754c80d49592b17696ab7326452c3a7f11a2c610f1

    SHA512

    a0582942d8d7d44dccdb0ddf2f0561f532265b9be93a7112943e8f10e38537be38d967084d74ef251b5fa49a49af33e09b4f4574fe7a4fb2d86c535264341654

    Download Submit

  • memory/1140-149-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1140-146-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1140-158-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1140-150-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1140-174-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1140-161-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1460-132-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1460-141-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2248-142-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2248-162-0x0000000000400000-0x000000000065E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3060-153-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3060-159-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3060-173-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3060-157-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download