Overview

overview

7

Static

static

99317b09be...da.exe

windows7-x64

7

99317b09be...da.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    157s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe

  • Size

    416KB

  • MD5

    338173dfd00cfa43f6978182ba69d6b0

  • SHA1

    5495a84a842beca91e1be7bd360cee440df0c467

  • SHA256

    99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da

  • SHA512

    8d632cc2e29244f1d3b617fe8a8c847237cca49c78ac4fa0c4ea404d3fb14e418e6676c0d54b16ff06d88e723c6c3064b398247527682bd11dd86f5facc1d3d7

  • SSDEEP

    6144:bvLxlRBLwCpiD4kXWUu3pmi9ITPNe6oZLKV9VZXDDP9xVDk:bvNlPwCpu44gmewN9gWDh

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3424
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4576
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4596
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3692
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:3516
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3264
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3264 -s 852
          2⤵
          • Program crash
          PID:3452
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
        • C:\Users\Admin\AppData\Local\Temp\99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe
          "C:\Users\Admin\AppData\Local\Temp\99317b09be0583cff8c9fa5e4c7a293210c7fa01cf9f23eb2f3ca86a4f8c24da.exe"
          2⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1812
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2320
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 456 -p 3264 -ip 3264
        1⤵
          PID:2936

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\IlawEsulr.dat
          Filesize

          273KB

          MD5

          d40ad083d38b788a4f0109a71df8c842

          SHA1

          e216e871888e9717b571952ea535ccbe10d9829f

          SHA256

          9c41d5a72c93f46b134f79ed15d99944340288e062faa56e3c8b5170109d9c8e

          SHA512

          db87477865db94563dcd38cae7e6352a4a9a8559530a19b6fe97385557102f36f5e0eb1a2c7455425b3511897da51c384f8e9c17554684cd3df9c9021911dde7

          Download Submit

        • C:\ProgramData\IlawEsulr.dat
          Filesize

          273KB

          MD5

          d40ad083d38b788a4f0109a71df8c842

          SHA1

          e216e871888e9717b571952ea535ccbe10d9829f

          SHA256

          9c41d5a72c93f46b134f79ed15d99944340288e062faa56e3c8b5170109d9c8e

          SHA512

          db87477865db94563dcd38cae7e6352a4a9a8559530a19b6fe97385557102f36f5e0eb1a2c7455425b3511897da51c384f8e9c17554684cd3df9c9021911dde7

          Download Submit

        • memory/1812-162-0x00000000028B0000-0x0000000002928000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1812-135-0x0000000000400000-0x00000000004AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1812-136-0x0000000010000000-0x000000001002F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1812-139-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1812-158-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1812-159-0x00000000023F0000-0x0000000002431000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1812-157-0x0000000000400000-0x00000000004AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1812-160-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1812-161-0x0000000010000000-0x000000001002F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1812-132-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2320-142-0x0000020341E20000-0x0000020341E89000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2320-141-0x0000000000EA0000-0x0000000000EEF000-memory.dmp

          Filesize

          316KB

          Download

        • memory/2320-140-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2448-144-0x0000011D9E9F0000-0x0000011D9EA59000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2448-143-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2984-146-0x0000000008540000-0x00000000085A9000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2984-145-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3356-148-0x000002BA44F90000-0x000002BA44FF9000-memory.dmp

          Filesize

          420KB

          Download

        • memory/3356-147-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3424-150-0x000002D9468C0000-0x000002D946929000-memory.dmp

          Filesize

          420KB

          Download

        • memory/3424-149-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3692-152-0x000001F0B3D50000-0x000001F0B3DB9000-memory.dmp

          Filesize

          420KB

          Download

        • memory/3692-151-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4576-155-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4576-156-0x0000010F71F60000-0x0000010F71FC9000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4596-154-0x000002AA76860000-0x000002AA768C9000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4596-153-0x00007FFA23E90000-0x00007FFA23E92000-memory.dmp

          Filesize

          8KB

          Download