Overview

overview

10

Static

static

ae41a9adc8...d7.exe

windows7-x64

10

ae41a9adc8...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 19:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe

  • Size

    346KB

  • MD5

    388ae8001c7019b2e3f5401ce1e820f5

  • SHA1

    2141fd73c2adfc36d438a943e4dbc3e13e453884

  • SHA256

    ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

  • SHA512

    18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

  • SSDEEP

    3072:GR2xn3k0CdM1vabyzJYWqO5z4EwevAHjmVep+23FlJ4+:GR2J0LS6VCz4ElAH5LRn

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 9 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 5 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe
    "C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
      C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      PID:4592
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:212
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1392
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 208
                6⤵
                • Program crash
                PID:4620
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4424
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4792
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:376
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:4488
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 204
              4⤵
              • Program crash
              PID:4576
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4184
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4184 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3980
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
        1⤵
          PID:2200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1392 -ip 1392
          1⤵
            PID:4972

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  346KB

                  MD5

                  388ae8001c7019b2e3f5401ce1e820f5

                  SHA1

                  2141fd73c2adfc36d438a943e4dbc3e13e453884

                  SHA256

                  ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

                  SHA512

                  18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  346KB

                  MD5

                  388ae8001c7019b2e3f5401ce1e820f5

                  SHA1

                  2141fd73c2adfc36d438a943e4dbc3e13e453884

                  SHA256

                  ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

                  SHA512

                  18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  346KB

                  MD5

                  388ae8001c7019b2e3f5401ce1e820f5

                  SHA1

                  2141fd73c2adfc36d438a943e4dbc3e13e453884

                  SHA256

                  ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7

                  SHA512

                  18acf8027f07a73d4ae8557d1697dabb0d7b1a8982298b254c46a9fb0b7bedcb6b11a2f803732505eb942cb117fba3480e15e2b574fa4c461cfd92844221a564

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                  Filesize

                  172KB

                  MD5

                  f57abd3a76079ed9ba085bf71acf6cd3

                  SHA1

                  018c940fdb62a466a5ada1338149bb7621ad8682

                  SHA256

                  98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

                  SHA512

                  cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                  Filesize

                  172KB

                  MD5

                  f57abd3a76079ed9ba085bf71acf6cd3

                  SHA1

                  018c940fdb62a466a5ada1338149bb7621ad8682

                  SHA256

                  98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

                  SHA512

                  cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  046bedf3b97e782edc5343dc24a1c485

                  SHA1

                  ebad04906d01fdb00719463e729f201a043433ae

                  SHA256

                  4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

                  SHA512

                  18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  046bedf3b97e782edc5343dc24a1c485

                  SHA1

                  ebad04906d01fdb00719463e729f201a043433ae

                  SHA256

                  4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

                  SHA512

                  18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  046bedf3b97e782edc5343dc24a1c485

                  SHA1

                  ebad04906d01fdb00719463e729f201a043433ae

                  SHA256

                  4bb13178dccf62921053ef1b62f9bdb994dfd0520741873a60ac2c1484df78ca

                  SHA512

                  18203014488892166d7c331f8239c1c030fd9831b8040d51b3fdf3d887f867380ff639ccac26e8751b7b13d1dc83e2931f96019783695e7a93c4348046c9fabf

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  566c37d8faf7e1a156d703d6cf5094b1

                  SHA1

                  a483d13406588251a462b312ce5ee62014c37ad6

                  SHA256

                  ce77187b2b83f73d727220a083d1c522228c60dc6f6b6d2eecea916904f718ed

                  SHA512

                  a82572f460de3b0764e79bfddcb7de82b6dee07b743781ff28dd44cd6e9248eb53e5a2df70ce3a502c171aae5a1740d17ce0f89ed8eb2109aefa30a5d3973e49

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  6d3fb0b64e0573470c0332abe612896d

                  SHA1

                  b133d50622abfec2b12f4db02085afe516ba707f

                  SHA256

                  f7da2f261e77e1bc774c794aa49483c1a58a3e967d02a5e1c5a18c7b47ffd55a

                  SHA512

                  eda463d4b53e993a114b64fe1c2b7317e3537c266c26e32701757525659441acdc04ff01585356c2cd06b9d2999d28c41e6b18825304800fa5ec9031ffdbadaf

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  4d8e232adf3626942a487ef4ca3f272a

                  SHA1

                  b511bc047c93c032f1119b26fbd514542a61f284

                  SHA256

                  06ae14aee003c65261bf8552e14cf139230a55e7d06f91e2fa3ccd8e2d1e0fa2

                  SHA512

                  4fc504c73500b8e6216b35df64a928a9c3d092b98f1e324db714bf7b59520ef3162daa6d9557b8cf8ee1223f04c9f96e1f5a3c842e4f22c69648337a8ca1cd74

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F529F13-439B-11ED-AECB-7ED4F7B3352B}.dat
                  Filesize

                  3KB

                  MD5

                  5edb4adebff748405299dc7f2e7298f9

                  SHA1

                  0d1282f8103d9e2e30fdc5a90a50ed5a3c44c77b

                  SHA256

                  19e012d48e1ca526273024fc0ce63fe73c17cb776803cab15402ca613b8bfcfa

                  SHA512

                  faabf4b4dea0c0d4a0893e033dd1a8b3cde6a08c51fc8e4768ec12c0810055b9e1e4a5e75f4e8f7ac6613645512e131fe7b9e1e5b2a738cfe32f82d8f59382a2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F529F13-439B-11ED-AECB-7ED4F7B3352B}.dat
                  Filesize

                  5KB

                  MD5

                  0225aef715b3ce76659b1bed58fe0c01

                  SHA1

                  7f1811f8d35ec81e262816a6dbac7a2cdf4e62ae

                  SHA256

                  ac246c6c3f0d3231ce6496646596103dda56254924bc403757b1f77aadc5bc47

                  SHA512

                  ff45ed7293fa7f74eae4ee5091a9d202afef0ca7a1ebbc541af3b7034c3c9532ed1e2ec275a59c482c6eb9fd931ee4e29036f0fa81cb57b6ee2ac8d5d6071c99

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F52ED33-439B-11ED-AECB-7ED4F7B3352B}.dat
                  Filesize

                  3KB

                  MD5

                  7b1cc3e8b4fc4545523a011087a02c11

                  SHA1

                  756092ede8794f42d723342a393da608637b4771

                  SHA256

                  3899cd259c64292182961d4c70f384de81bb9b519ad1f290f0c105257d7ec48a

                  SHA512

                  fe612e9f2adec380e3bc542e436969be751f385e512e3b8bb4e22bb0a3e4db32698c750f229398b0e1081c3da325ed4c6798288076149310b94791c06761f642

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
                  Filesize

                  172KB

                  MD5

                  f57abd3a76079ed9ba085bf71acf6cd3

                  SHA1

                  018c940fdb62a466a5ada1338149bb7621ad8682

                  SHA256

                  98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

                  SHA512

                  cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ae41a9adc878a15942f06880e84ce575f0d979ab61004d367c43d2cea5da57d7mgr.exe
                  Filesize

                  172KB

                  MD5

                  f57abd3a76079ed9ba085bf71acf6cd3

                  SHA1

                  018c940fdb62a466a5ada1338149bb7621ad8682

                  SHA256

                  98c0c3c7b28a7eca1648bd25ae7927bae460de51a8a58c48b5c4fdc0a24963ba

                  SHA512

                  cb77e53914ab4e3ed8804cea0c75f13630a756903a1db0e3f1e9b81cadae981a3fba32cf5ab2597c7b6104937fa1114a5588c0df78ae2d17f38c6e115120f001

                  Download Submit

                • memory/212-182-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-190-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-192-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/212-191-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-189-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-185-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-184-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/212-183-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-187-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-186-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-180-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-181-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-179-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-178-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/1336-188-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/3696-175-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4592-149-0x0000000000400000-0x000000000044E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/4592-177-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4592-147-0x0000000000400000-0x000000000044E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/4592-145-0x0000000000400000-0x000000000044E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/4592-143-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4592-136-0x0000000000400000-0x000000000044E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/4996-174-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4996-150-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/4996-132-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/4996-148-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/4996-146-0x0000000000400000-0x000000000047A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/4996-141-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download