Overview

overview

10

Static

static

10

f5caa7bc90...7a.exe

windows7-x64

8

f5caa7bc90...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5caa7bc9098f04fcc8c14cb65943b8c2b711901f4732f6496617f13b8d2ef7a.exe

  • Size

    100KB

  • MD5

    63f0f91e3ccf5dd00a455d3038a299f4

  • SHA1

    ed42ff3444aaac12efb043bc1d3c8e2615e970c4

  • SHA256

    f5caa7bc9098f04fcc8c14cb65943b8c2b711901f4732f6496617f13b8d2ef7a

  • SHA512

    30a98fba3f7a7df676d785bb283f7ad04f51ce56e52648ebe070ea165abc576ecb11dbb39bc947eaeb789118882f6471f0faea3c3290a429cc4e25928fd12759

  • SSDEEP

    1536:ceuaazjBEY7AmycmyTOOiq7NPsS5ARM32j+yEPDKgf:va/CY7GQT9iqx0XJq7/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5caa7bc9098f04fcc8c14cb65943b8c2b711901f4732f6496617f13b8d2ef7a.exe
    "C:\Users\Admin\AppData\Local\Temp\f5caa7bc9098f04fcc8c14cb65943b8c2b711901f4732f6496617f13b8d2ef7a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:968
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:209934 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:828
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:603148 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1200
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        -nohome12.ini
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
            PID:1092
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          -nohome12.ini
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            4⤵
              PID:1672

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.dll
        Filesize

        51KB

        MD5

        329ee179b9ac8a66a60bb410dbd4f3ce

        SHA1

        8ff0a63cc33552bb611fae40ebfcd22477328385

        SHA256

        0863042ebac9542ff100d98e22368ea415d0396ca8e5880731bb7cca37515508

        SHA512

        def53b7e953f4eb3736d70fa0c490312f8eaae249df9e160af591e35735f497acc460a3c65e5080595941b44b2b20c68322b2bf8f5fe4d6d4645c7cbb95cc108

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CILSYEEF.txt
        Filesize

        603B

        MD5

        180ccd5e1a0aa29db7946a3dcbbafa9c

        SHA1

        cdefd8d4b05923e49fffcd85c2c50d7d78d5056f

        SHA256

        911509c68e43a0b52ab862d5998eeaa2aa217f5efc89674619be36f191014159

        SHA512

        a98c804b3ab6e0b3664366245ba1fc1f8eac99bb99c50bc4da89159223abb5c72358126ad235138836c3f3ef2fdaba91ff26a2d95c8d30ba6ff8858f50303805

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.dll
        Filesize

        51KB

        MD5

        329ee179b9ac8a66a60bb410dbd4f3ce

        SHA1

        8ff0a63cc33552bb611fae40ebfcd22477328385

        SHA256

        0863042ebac9542ff100d98e22368ea415d0396ca8e5880731bb7cca37515508

        SHA512

        def53b7e953f4eb3736d70fa0c490312f8eaae249df9e160af591e35735f497acc460a3c65e5080595941b44b2b20c68322b2bf8f5fe4d6d4645c7cbb95cc108

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • \Users\Admin\AppData\Roaming\Adobe\netmgr.exe
        Filesize

        20KB

        MD5

        aa6f8eff83aea3ff7b8f016e67f74dac

        SHA1

        2c9e5b5b342603a3b967bd4fcab7f1cd11441886

        SHA256

        a9809c4464e571112467e5989d10b59b0af049e816dc3cb16f5b7128d5a3cda2

        SHA512

        752a1e901f60bbe36f40d952305db537459e3ff565b79551cf85f4c60d50956d55c757a224676f1a2ec3fd6dde18d480ff796fdb3b48ab0efb3a8177433564b1

        Download Submit

      • memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

        Filesize

        8KB

        Download