Overview

overview

10

Static

static

8cf7d7bc82...49.exe

windows7-x64

10

8cf7d7bc82...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe

  • Size

    79KB

  • MD5

    5f1c6dca730a015ea3cc3cd9dab2e260

  • SHA1

    f5e8dc4e5429789475b41b70175c57bf98667878

  • SHA256

    8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249

  • SHA512

    a2551f85c24c1a078b2e9a734023d24a94ea13108f98b16b1f878e0400bf81846e12163bec9ac51f0babbf5ccca7ca63321dc3fe2978eb3df4394fc4ce57f902

  • SSDEEP

    384:/TLoBEse1egPc2RmwebA6/T6yjGTzDFKDsywKyPXWGBEyuA2Rt9Qo6WBlWJ7hlsP:/QWeVGSA+rjGTvejm2yuA2R8yY7zskO

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe
    "C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1736
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s c:\abc.reg
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Runs .reg file with regedit
        PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat
        2⤵
        • Deletes itself
        PID:2032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.bat
      Filesize

      291B

      MD5

      1a3f80f3fc0dedef71657b08f8ab26b6

      SHA1

      745d17d29e656f0f57a3d2d8db260af1e2126e35

      SHA256

      30f21a694fbd0bc1bd06d81d0221fb8a5b3390ba4cfa0ef0db8be6b80bba6133

      SHA512

      c94f5a0d84eb89913817607846223ed7d34b799f90dd4b3e1918614414281bfd16d051701843b7a6cb0e623d1e2cba671fe1bb249e62c9df3bd0d7b9eff1224f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.doc
      Filesize

      51KB

      MD5

      20b403a310eb164cc7903e026d62a7d1

      SHA1

      b46bfec790c512cb02f15c94817b7f974de6e09f

      SHA256

      1364c66dbddf5a8bb0f9a21b368ef41bb7054de8356b55c1fe4685bcf8189e0c

      SHA512

      eb4991ae0a93f9b3a874ea67d3ff5754f82cb5fdf4783294b854cff9d7ccc0c615fde7c38f9b9814423407163efe5f0af72e5eec3bb0a08941e16d0aea3a073c

      Download Submit

    • \??\c:\abc.reg
      Filesize

      605B

      MD5

      919c47af89419610da8379f1a4bc4406

      SHA1

      8a38ced0244af3ea4f31ef83a79b02c33db7c99f

      SHA256

      b6ae6b39d808e52cd4971732f205bfb3ad8d4fb9559e26db6620e693fd9cf873

      SHA512

      7fd7689941a74377ee2c2efe35103f69a5fe47baeb19265f7470cff5e83313df0087206603e85debf5939a26dd5fb881ee8bf91ea8c1ce5ef511808af537a580

      Download Submit

    • memory/1452-56-0x0000000075041000-0x0000000075043000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1548-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-73-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1548-62-0x0000000072801000-0x0000000072804000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1548-64-0x0000000070281000-0x0000000070283000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1548-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-66-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1548-69-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1736-71-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

      Filesize

      8KB

      Download