Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14/10/2022, 09:21 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe
Resource
win10v2004-20220901-en
General
-
Target
d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe
-
Size
788KB
-
MD5
730ba9b0c186b6ccb5406c9826c0b0e0
-
SHA1
89c994298382266b76f8a86da80f1aa1d1dff4bc
-
SHA256
d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734
-
SHA512
0bfcac7fece2d9af5bd0b432626a1832a9605c7d4e2b5329e18f1b08176cbc1a559ec95f788385b25dcf9c25a2f354cbbb5346261d8ae95b2cd304d01fb94286
-
SSDEEP
12288:CSP2Vu2On5XQlE983JNsUDvlkd73hS3n8H5PGFAyG/Q7wv2Q:9/2On5XakphS305P4An/9V
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: 33 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe Token: SeIncBasePriorityPrivilege 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe 1464 d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe"C:\Users\Admin\AppData\Local\Temp\d81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1464
Network
-
Remote address:8.8.8.8:53Requestapi.v2.secdls.comIN AResponseapi.v2.secdls.comIN A127.0.0.1
-
Remote address:8.8.8.8:53Requeststaticrr.cloudsvr4037.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure1.comIN AResponsestaticrr.sslsecure1.comIN A193.166.255.171
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure2.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure3.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure4.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure5.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure6.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure7.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure8.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure9.comIN AResponse
-
Remote address:8.8.8.8:53Requeststaticrr.sslsecure10.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.secdls.comIN AResponsetrack.v2.secdls.comIN A127.0.0.1
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure1.comIN AResponsetrack.v2.sslsecure1.comIN A193.166.255.171
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure2.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure3.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure4.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure5.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure6.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure7.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure8.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure9.comIN AResponse
-
Remote address:8.8.8.8:53Requesttrack.v2.sslsecure10.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure1.comIN AResponseapi.v2.sslsecure1.comIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure2.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure3.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure4.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure5.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure6.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure7.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure8.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure9.comIN AResponse
-
Remote address:8.8.8.8:53Requestapi.v2.sslsecure10.comIN AResponse
-
-
193.166.255.171:80staticrr.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe152 B 3
-
-
193.166.255.171:80track.v2.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe152 B 3
-
-
193.166.255.171:80api.v2.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe152 B 3
-
-
-
193.166.255.171:80api.v2.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe152 B 3
-
-
-
193.166.255.171:80api.v2.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe152 B 3
-
-
-
193.166.255.171:80api.v2.sslsecure1.comd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe104 B 2
-
8.8.8.8:53api.v2.secdls.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe63 B 79 B 1 1
DNS Request
api.v2.secdls.com
DNS Response
127.0.0.1
-
8.8.8.8:53staticrr.cloudsvr4037.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe71 B 144 B 1 1
DNS Request
staticrr.cloudsvr4037.com
-
8.8.8.8:53staticrr.sslsecure1.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 85 B 1 1
DNS Request
staticrr.sslsecure1.com
DNS Response
193.166.255.171
-
8.8.8.8:53staticrr.sslsecure2.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure2.com
-
8.8.8.8:53staticrr.sslsecure3.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure3.com
-
8.8.8.8:53staticrr.sslsecure4.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure4.com
-
8.8.8.8:53staticrr.sslsecure5.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure5.com
-
8.8.8.8:53staticrr.sslsecure6.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure6.com
-
8.8.8.8:53staticrr.sslsecure7.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure7.com
-
8.8.8.8:53staticrr.sslsecure8.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure8.com
-
8.8.8.8:53staticrr.sslsecure9.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
staticrr.sslsecure9.com
-
8.8.8.8:53staticrr.sslsecure10.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe70 B 143 B 1 1
DNS Request
staticrr.sslsecure10.com
-
8.8.8.8:53track.v2.secdls.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe65 B 81 B 1 1
DNS Request
track.v2.secdls.com
DNS Response
127.0.0.1
-
8.8.8.8:53track.v2.sslsecure1.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 85 B 1 1
DNS Request
track.v2.sslsecure1.com
DNS Response
193.166.255.171
-
8.8.8.8:53track.v2.sslsecure2.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure2.com
-
8.8.8.8:53track.v2.sslsecure3.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure3.com
-
8.8.8.8:53track.v2.sslsecure4.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure4.com
-
8.8.8.8:53track.v2.sslsecure5.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure5.com
-
8.8.8.8:53track.v2.sslsecure6.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure6.com
-
8.8.8.8:53track.v2.sslsecure7.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure7.com
-
8.8.8.8:53track.v2.sslsecure8.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure8.com
-
8.8.8.8:53track.v2.sslsecure9.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe69 B 142 B 1 1
DNS Request
track.v2.sslsecure9.com
-
8.8.8.8:53track.v2.sslsecure10.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe70 B 143 B 1 1
DNS Request
track.v2.sslsecure10.com
-
8.8.8.8:53api.v2.sslsecure1.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 83 B 1 1
DNS Request
api.v2.sslsecure1.com
DNS Response
193.166.255.171
-
8.8.8.8:53api.v2.sslsecure2.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure2.com
-
8.8.8.8:53api.v2.sslsecure3.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure3.com
-
8.8.8.8:53api.v2.sslsecure4.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure4.com
-
8.8.8.8:53api.v2.sslsecure5.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure5.com
-
8.8.8.8:53api.v2.sslsecure6.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure6.com
-
8.8.8.8:53api.v2.sslsecure7.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure7.com
-
8.8.8.8:53api.v2.sslsecure8.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure8.com
-
8.8.8.8:53api.v2.sslsecure9.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe67 B 140 B 1 1
DNS Request
api.v2.sslsecure9.com
-
8.8.8.8:53api.v2.sslsecure10.comdnsd81ee79253f1c91f0af45618ea8217ab1e89ee7fa678f5d60f050e1f32390734.exe68 B 141 B 1 1
DNS Request
api.v2.sslsecure10.com
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537KB
MD5ff7eef4dfcc3c54deb1bb962d39b5ad9
SHA17125758b5088e41160ae6d04a30ed20b842fdc7b
SHA25665534417c3d94effdc940ee2cbcc57adb81b00f9584a4f3f4cc6f5d5f9ed18a9
SHA512e0cfcd65d21dc8094782a09202ca26365d15c258992cc96045760a2393c979cc3db0236572efd3ae634fab48bb85557db12e07740687e8c69706d13d4682e142
-
Filesize
537KB
MD5ff7eef4dfcc3c54deb1bb962d39b5ad9
SHA17125758b5088e41160ae6d04a30ed20b842fdc7b
SHA25665534417c3d94effdc940ee2cbcc57adb81b00f9584a4f3f4cc6f5d5f9ed18a9
SHA512e0cfcd65d21dc8094782a09202ca26365d15c258992cc96045760a2393c979cc3db0236572efd3ae634fab48bb85557db12e07740687e8c69706d13d4682e142