Overview

overview

10

Static

static

7f69518232...3d.exe

windows7-x64

10

7f69518232...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d.exe

  • Size

    1.1MB

  • MD5

    a20c7b589559ec84f168d023155a769f

  • SHA1

    736071856685df1d37b211832170b3160b37d624

  • SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

  • SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

  • SSDEEP

    3072:CYsgk+ruvdasTt9NHhayrHlbGAP1Qm02B545g4FuB3bBo6P6We0VyOjUout:Vr/oS

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d.exe
    "C:\Users\Admin\AppData\Local\Temp\7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:276
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    006c98bc42ac1d15f0ec70e3488783c5

    SHA1

    a8c8302826468c903b511e206d6d058e2c3acdaa

    SHA256

    e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00

    SHA512

    e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    d15aaa7c9be910a9898260767e2490e1

    SHA1

    2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

    SHA256

    f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

    SHA512

    7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    97ab7ffd65186e85f453dc7c02637528

    SHA1

    f22312a6a44613be85c0370878456a965f869a40

    SHA256

    630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee

    SHA512

    37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    347503e74934f40d7336fdb0c0e05eda

    SHA1

    cd02b0099fecc08c7ea939feb0c0da3b7bf7e826

    SHA256

    e9c5dfb4d72923e26767db1b70aed7ddf5ea0174890825e009a850880f8b0fe4

    SHA512

    4fd29aedc14dceb395a6cadcc24e7519fb974e0e62a9399559e2df3aa7f288d23bd7b5b3b80a76f77b85a21d6b929947e1c84d1b96e801a127c900976881d440

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    bbe75733247691ba98d28863f1cfc8d7

    SHA1

    dedc66b61cb7a933d9c87790dd38db03da23f2dc

    SHA256

    d106bd9415cd8b924c6a694199d1172105c49fc3f26f4116f71d3b95db6717d8

    SHA512

    6eaff961a63c78aa7fd276acdbb64ff4e7c5ff85b66d3467b7dde097b56b0a40a97fa43b85f900cec897d04a066fc628f831227dc12b1f29ad1ce7012c1ebda8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    5c53ef21f75883f103ddd90bcc293607

    SHA1

    336aa9dc300d6703e15cf9af626bfa3f84e7546a

    SHA256

    a97cecb6da71ebd0898915f73c0d5382e0256d7201b190c3c9fde9b1fe6ed1f8

    SHA512

    ba5c2619d5e55ee259ffda7a13ec87cc3c613505b48e97a282997dff077b8962c59d4e3431f984b17be264870871c821db6d2c15e458a790a2665d26486f982d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    0b47f264882891c42d8803d684290fe6

    SHA1

    f548ee6c56f0250cc9989c68f4674170cd71f365

    SHA256

    fd24c1ec26c5b4d39613d0c46f4a661cf5b49268a0a9fb1294082ff24f34aa8d

    SHA512

    41d6683084f98a5a5d6a7caab32257b51e2ef4e7e4481bd6ac0daa64a958309dc1575614500d4d9e4bf2f1c98001abcc8466639e1a65ae7304818c8e77408db0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    9a1d7c305f643c82c85d1a28dc9a5a20

    SHA1

    76a34002ada79fac0ad8806a0116f030abc81a71

    SHA256

    fb306670133e68b5791e73c644dd43c250e05d109d4bd598dfc35c90dcc1d5e1

    SHA512

    06ec1c891ee4dcfeb50d1d7419765ccc2c7569ca3221f65ce25a2295fb6545f6bcc01254837922155a4f0c36eb8964733b9d3f59af67f7edd3d923bbcc7d23d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    749d216e14d92059c9c787915ea3cf0b

    SHA1

    12de4e3202791e99bd69891b24b322f84c5d3e39

    SHA256

    c5c11b581b5b96b26d7f45c00294cef5a6d8d25d416d52cc3ec525354ed4e90f

    SHA512

    718057981b48e649fc522e7181baa44c16f38e3d63badefc09bdc67f67eecca29907f85d86d46850c360e7873d728cde48ff18527f40d3e3aff6e8d823d8053b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    cf53cca0c11943ce93a46fb0adc85b52

    SHA1

    cd33932e6e49f3d70bf2567f30c32d022e8b44a9

    SHA256

    29493516d8a689d761cb10a401a363c5f9a1e016fb941622944e5f3ea35330ac

    SHA512

    cdf2f91a99a2954d8969e221f0d00e7132b04c254c4ad829afcb8ea88a2415ada37ce57ea0d746cfc4230d988a4db85cce6604f01ab14977dda9a792e331327b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    6560d03a86a4ce1415346fa073a7ede7

    SHA1

    284c9217d80fe80549013dcc64c97d92014239d7

    SHA256

    feec072c99e63dee46b6664bebdbb8289a6171c198d0232405d371a2831000a2

    SHA512

    c39c01d6b906cdca24c85f0fb2deded19faf5ccda3802274961344f40f314adf610250c72431d02807c71dce719456ef5ab7ea6cc173181a122ef26337da26ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7SOKRLQ2.txt
    Filesize

    608B

    MD5

    ea0fd5b06b69c53491e4ca8779fc4aa9

    SHA1

    4961e5339743698fd1bc23ce68626a3bc2fb70db

    SHA256

    3132d677c5a5242d6b20c649d2cead66d15f9a8ce7fe5a8266e2c27fb16a1674

    SHA512

    a7c49bbd898cd4123507e675414a8aaacf8efb5d6e006e49564312bd8968033399abb2cb0b64d2ddcc6b4ca9bdc784e8da84a288da7d7f378cffd23d28b4f0f9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G36WYRZ8.txt
    Filesize

    97B

    MD5

    18812ca418e6694f90c361750ef24784

    SHA1

    3492dd0b3ebfea90975b30558cd03a48cf854819

    SHA256

    32e2469777296d75f7b12248844e691a02f07bbf3960b350aa999c82606deba9

    SHA512

    b7293b9a0f0c88371e475e00961f3ef64980a97e1f1ade98275fcbde20ba1bd2375117fcc805387a045a2086a40f868cb332288922b38d21432882df61bab830

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.1MB

    MD5

    a20c7b589559ec84f168d023155a769f

    SHA1

    736071856685df1d37b211832170b3160b37d624

    SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

    SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.1MB

    MD5

    a20c7b589559ec84f168d023155a769f

    SHA1

    736071856685df1d37b211832170b3160b37d624

    SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

    SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.1MB

    MD5

    a20c7b589559ec84f168d023155a769f

    SHA1

    736071856685df1d37b211832170b3160b37d624

    SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

    SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.1MB

    MD5

    a20c7b589559ec84f168d023155a769f

    SHA1

    736071856685df1d37b211832170b3160b37d624

    SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

    SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.1MB

    MD5

    a20c7b589559ec84f168d023155a769f

    SHA1

    736071856685df1d37b211832170b3160b37d624

    SHA256

    7f69518232a44c6087ecb7d73e556ccf832b937a83ec14037fb2d138f0b3003d

    SHA512

    5c30dd95758a68a72078f4ad0277a7815904df271dc3c13cc324f02bb1897f405e8a049b55845aab5e9c955746c9621d6edbe38897998552f99d2bf1b6c529bb

    Download Submit

  • memory/276-68-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/276-88-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/276-72-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/276-73-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/276-78-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1312-66-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1312-87-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2004-56-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2004-62-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2004-57-0x0000000075831000-0x0000000075833000-memory.dmp

    Filesize

    8KB

    Download