Overview

overview

8

Static

static

154e5fa345...c2.exe

windows7-x64

8

154e5fa345...c2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    78s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2022 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe

  • Size

    132KB

  • MD5

    789a7c1914f703c8343b8ece91c3a830

  • SHA1

    fc5e2b8079f7a340d437a00652edce1ef851bfae

  • SHA256

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

  • SHA512

    f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

  • SSDEEP

    1536:wURjsYDtXptH5NwCes0GUEQZwaKH3xm4KZtLsi4mJMo6C:zfx0FKqubP

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe
    "C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\Windefend.exe
      "C:\Windows\system32\Windefend.exe" rem "C:\Users\Admin\AppData\Local\Temp\154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OISAT62Q.txt
    Filesize

    603B

    MD5

    14c1cb8bc88b029a61a15a32ff8c81c4

    SHA1

    6ff44db5547bf0bc801fdf615a159ed94b421e37

    SHA256

    45b6b13ad03d0107085563658ae86021ed3304ee6082fd1df98c1dee3eae882c

    SHA512

    a7445f92469834524f70dea3f8d84a34c2738ec3da1db9637730276e1cd058d8bdc38f546b17c3bfd7724479584ab43524c45507ec5f739dd771540912752921

    Download Submit

  • C:\Windows\SysWOW64\Windefend.exe
    Filesize

    132KB

    MD5

    789a7c1914f703c8343b8ece91c3a830

    SHA1

    fc5e2b8079f7a340d437a00652edce1ef851bfae

    SHA256

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

    SHA512

    f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

    Download Submit

  • C:\Windows\SysWOW64\Windefend.exe
    Filesize

    132KB

    MD5

    789a7c1914f703c8343b8ece91c3a830

    SHA1

    fc5e2b8079f7a340d437a00652edce1ef851bfae

    SHA256

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

    SHA512

    f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

    Download Submit

  • \Windows\SysWOW64\Windefend.exe
    Filesize

    132KB

    MD5

    789a7c1914f703c8343b8ece91c3a830

    SHA1

    fc5e2b8079f7a340d437a00652edce1ef851bfae

    SHA256

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

    SHA512

    f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

    Download Submit

  • \Windows\SysWOW64\Windefend.exe
    Filesize

    132KB

    MD5

    789a7c1914f703c8343b8ece91c3a830

    SHA1

    fc5e2b8079f7a340d437a00652edce1ef851bfae

    SHA256

    154e5fa34521e9bfe276848f77a8be1cd0a751aa5a0e26f04cddaa14963e28c2

    SHA512

    f4b4f99be9c3e0fd4d59152b4622f3b80eb51419bf1a8870f643155eda6a7fad4160c1a1bbc1fa615669601f22f4983cbe3a58d15ff9d099d506c65d0e945627

    Download Submit

  • memory/1588-62-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1588-63-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1976-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-55-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download