Overview

overview

8

Static

static

074c6220e9...bc.exe

windows7-x64

8

074c6220e9...bc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe

  • Size

    545KB

  • MD5

    02c404001eb1428b67c4c84d93c62afe

  • SHA1

    ccfd3c9e2730197b627be2e577a71e466494ab30

  • SHA256

    074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc

  • SHA512

    117ed5f86377b0bbda1e0ac8526dbe328a656c5445536d83507c9e57dcd05ac3be09d4544fb93d0fc98bf0744f675aa077027b6784461072d1d505d2187b8670

  • SSDEEP

    6144:nUW/vqLbYZbFh0f3X2vuLL2BznK7XXlVshVrp3U4f3BglMgAMDzeLxJam0+cxosU:n7/CbY2v+ufAnC3sB03mdbqllTUxF

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe
    "C:\Users\Admin\AppData\Local\Temp\074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:580
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1920
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:406546 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W0K15Q22.txt
    Filesize

    115B

    MD5

    cf091c95602f26159cfeecce98395469

    SHA1

    4e68261d8f0239b8b4222d070a31d853f87e35ec

    SHA256

    2c04d01a49c04ddbf7b97573254568afef1b7201dbc94f8bb754339627d925f7

    SHA512

    565f18b2086a2d3bd28707741e3bd03bece088ea865ae373fc0f1be672f16d9910597361a6c43efcb8420ba1ea015973fad13241543fde94dfd0ef871c63da6c

    Download Submit

  • C:\program files (x86)\internet explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray .exe
    Filesize

    587KB

    MD5

    4e9c6a54afa82243fbf20402d00efaf8

    SHA1

    234372794f619eac19dd27edf5c6c8ad906ca01e

    SHA256

    2c187c47fc0588381e80e4522911075c38fe3b92d4c45e2993fa6bf6bfb3b7a0

    SHA512

    42ffe1e3913b4132ce0ecdae916485baf566627b5a7780be6f48ec496deb6ade5dde861165289e86f2d93b97065f9c9c4fc69b20ef10aadb0a8f90598907303b

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray.exe
    Filesize

    597KB

    MD5

    2cc40855ecf843986e5c28028db0d941

    SHA1

    e4b97b8a551ebd3b79888df296e55d7a87cec6c4

    SHA256

    3d30ed09440bba64d41c3e3512bc475ff755a0e9f2077b52fd51f14eeb912c77

    SHA512

    f1d8d7d3c1f98bd7cc449629fc3e8ac33f9f50ca1ed6cef42482e8941243b483f2e540efdadf6f41f6b462ec1f1902c16428c7abfadbadfab24dcf6bf4ece0f5

    Download Submit

  • \??\c:\program files (x86)\microsoft office\office14\bcssync.exe
    Filesize

    569KB

    MD5

    d13190a2db5495ae8e064f9d12d6cfe2

    SHA1

    e309c669f1f6f29c515f59aed0eca58b2a09f69d

    SHA256

    61f260f26092bafd51e0f1c44dbaca65876573028c81ab483ab29754e38ecdef

    SHA512

    737a45455d77031a5bc645c814be5acd592a0c4a7ca3a02b2def4ca0c306fb7d23b67175731e2c8d09cf547d1d03bc86697914d4716e1975b8ac9bb3685fc0f5

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    581KB

    MD5

    d8877b52fd2228a9fac4567bfd41da64

    SHA1

    f7abcdbb3d451e8f7fb603c1336be106e391a5a6

    SHA256

    794dec9e97268a71a8ab7c84e3b18ce3683d03fb10f5e4123ef015f8f119f664

    SHA512

    09f1a6a59000e0a519b635f1f2de4bcefc90071e6332eaa315f918459baeda4f8709162027c20c6db6004163bfd41859c8dabb0fd56024c4b265b973a9660fba

    Download Submit

  • memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1048-55-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download