Overview

overview

8

Static

static

074c6220e9...bc.exe

windows7-x64

8

074c6220e9...bc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe

  • Size

    545KB

  • MD5

    02c404001eb1428b67c4c84d93c62afe

  • SHA1

    ccfd3c9e2730197b627be2e577a71e466494ab30

  • SHA256

    074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc

  • SHA512

    117ed5f86377b0bbda1e0ac8526dbe328a656c5445536d83507c9e57dcd05ac3be09d4544fb93d0fc98bf0744f675aa077027b6784461072d1d505d2187b8670

  • SSDEEP

    6144:nUW/vqLbYZbFh0f3X2vuLL2BznK7XXlVshVrp3U4f3BglMgAMDzeLxJam0+cxosU:n7/CbY2v+ufAnC3sB03mdbqllTUxF

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe
    "C:\Users\Admin\AppData\Local\Temp\074c6220e96258950dc00db2e0c6abd2608dfb60f8fb8af6ab8e8b410159f9bc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1848
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:1892
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:17410 /prefetch:2
        2⤵
          PID:4100

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        Filesize

        558KB

        MD5

        78aa146c31bf97ebc726ba0ed8124226

        SHA1

        6594316ad930205686fbb545e1899c94f7ab0c0a

        SHA256

        d4dbe91b63c42123a3c13678dbd56ba799cab0ace232b57ed3d042c134f4546f

        SHA512

        37acf82cf45dd712e5e4eba22ac83cd4379f4d3a5754415f8c8960ad20d8277c448045f2f450f70902f9855cb7a7bbfe99678c6c696f21b97c1b0d1006ebed05

        Download Submit

      • \??\c:\program files (x86)\adobe\acrotray.exe
        Filesize

        588KB

        MD5

        0f4d47bca7cb28a45a4ee7251afb82b6

        SHA1

        4fe4fbf86903d3b491f0968e9e5740b053c96f33

        SHA256

        16707f9756c83459e93b1893a33f02c4c419b50e3e6a1fbd85164d42907aee01

        SHA512

        fcb3b480654670af45a52ca160ea5d7b76a553fbfd38635f26aa0155d13eb17cbb5667e9363973b7809df5e3a3274ad2b6cb87d578b1b19e23ca27d40f3c9b37

        Download Submit

      • memory/1392-132-0x0000000010000000-0x0000000010010000-memory.dmp

        Filesize

        64KB

        Download