Overview

overview

10

Static

static

167f7172fa...4d.exe

windows7-x64

10

167f7172fa...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d.exe

  • Size

    24KB

  • MD5

    65d71dedd2cea264c151c442325a17c0

  • SHA1

    a0984eb5d30ba6d28ee7c7ba547015eac208aea1

  • SHA256

    167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d

  • SHA512

    67d3a1af4f563feeb904d63d5cbac609b89a70d0dd0f42f293d3d2ff6c55cbf9bdb27472c929ed0966c33076d287f995b6cf8d277eea67be631a96cb8c343ef1

  • SSDEEP

    384:/zqc/RK97lGre2vD6eVjlJ4spvT1ZKNpltxDlJnELKt8Cy/jhGl9+:bqco9Are2fjlJ4sJEPxoU8Cy/jh4Q

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d.exe
    "C:\Users\Admin\AppData\Local\Temp\167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" www.888979.com
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2332
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" www.vqq.com
      2⤵
      • Modifies Internet Explorer settings
      PID:4256
    • C:\Users\Admin\AppData\Local\Temp\167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d.exe
      "C:\Users\Admin\AppData\Local\Temp\167f7172facd9e494e3404c1ec307db0d7d6053005e5428d51bec1b33777144d.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\socks.exe
        "C:\Windows\socks.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MyTemp
    Filesize

    102B

    MD5

    02f6c829105aa55ac9c1b0d00fe5e61d

    SHA1

    97d2dfeb5b6a643e0eb2d7136022da7266ef3b72

    SHA256

    f1985cc277d4f5121bcdd6688203563e597ae7cfa4bd06322f31272ecd0acc69

    SHA512

    beaafcc8cf64388d1347759020668c4352c75baeab2192000501be0dc621c539a782c1fcd36210ff57804f2f78a18146a0c802a66f3366aea905e3a656cdfcc0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    046bedf3b97e782edc5343dc24a1c485

    SHA1

    ebad04906d01fdb00719463e729f201a043433ae

    SHA256

    4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

    SHA512

    18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7486b41795c720a62b9c94210592fdd3

    SHA1

    f645f02d2aa224f5380940267f0b0396a2d724f7

    SHA256

    ee48dc9b32018eaf2ed4100d1230463807006803d2707572417938152b5f9988

    SHA512

    015646264e145339b9c85c4955d06411c84364e2fd67f14eb5d93da9eb0e8940d524dcacdba4d4c2ac853f59db6a5d03b226b6b1433a23d224f817c416d87913

    Download Submit

  • C:\Windows\Mation.inf
    Filesize

    13B

    MD5

    e353e98883820415ad14807b2a97920f

    SHA1

    e0dd02b23270df333700e6f163cc84ad61e6bbfb

    SHA256

    d87401fe5397a05eaaa08623b898465764369ae13a9eb2c19f745b534d8750f5

    SHA512

    f3bcc630c0f7de4e144f9ec7b1dff1de033e56fb923ef5c7c96fdd5c59a1d50d89fc30c371ab569f61028c5fd3fe540a16ecefc0e2c26e5c4c3a15d98ff007c2

    Download Submit

  • C:\Windows\socks.exe
    Filesize

    12.9MB

    MD5

    2b6252b9d475e1d8f55a38f11f688b39

    SHA1

    ad7077d77aa96780a9f473b8f27f1e892e10c00a

    SHA256

    cccba0f37fa1009f8f19f59de33ad427399db2ac6a695c0d080642a2c0f39adb

    SHA512

    c79927282394991bebb75ad9e940733ade21690ecb1f9733c86efe0516c24feb1b1076a96f660c7891ceb4fac569a78f24dcc5f523c4d5eef12f09e6f127cc06

    Download Submit

  • C:\Windows\socks.exe
    Filesize

    12.9MB

    MD5

    2b6252b9d475e1d8f55a38f11f688b39

    SHA1

    ad7077d77aa96780a9f473b8f27f1e892e10c00a

    SHA256

    cccba0f37fa1009f8f19f59de33ad427399db2ac6a695c0d080642a2c0f39adb

    SHA512

    c79927282394991bebb75ad9e940733ade21690ecb1f9733c86efe0516c24feb1b1076a96f660c7891ceb4fac569a78f24dcc5f523c4d5eef12f09e6f127cc06

    Download Submit

  • memory/2108-140-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/5056-136-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/5068-132-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/5068-135-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/5068-133-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download