Overview

overview

10

Static

static

12bffed9dc...b0.exe

windows7-x64

10

12bffed9dc...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 06:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0.exe

  • Size

    117KB

  • MD5

    8133227d9262a562501c984bf1d475c0

  • SHA1

    c430930ebee8bf3712cbbc3808b1498686fb8a91

  • SHA256

    12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0

  • SHA512

    2d7d16f1850270d38fedb1f66b5548d39b7c8b12a683f8233095b018681303a5f4c9f24e56f9a1afacd1d017e729bfe11c7f8d653b6fd9652e73d2cd37bc4761

  • SSDEEP

    3072:saJmcpbHhhG5UUUUUUUUUUUUUUUUUUUUUUUUUUAtGB6p1+Y:saPYZ

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0.exe
    "C:\Users\Admin\AppData\Local\Temp\12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0.exe
      "C:\Users\Admin\AppData\Local\Temp\12bffed9dcafd95682c6ea71674ed5e080a9215c54db1c947f8ebbf51c49e6b0.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Drops file in Drivers directory
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sonico.com/postales/view.php?cid=27608078&se=pahola.glachavez%40hotmail.es&db=10&t=ecards_sonico&ss=1&etid=pstlview
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:648

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          60KB

          MD5

          d15aaa7c9be910a9898260767e2490e1

          SHA1

          2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

          SHA256

          f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

          SHA512

          7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          5defc4e797da08c754f5bcc8b897e402

          SHA1

          c6beaed445b1640ed44f2648525de754f61cffb4

          SHA256

          b17a9e12f4cda661b7df6ccf2f3375ce7c46332fa8d61d06c89b8aaee014dcd2

          SHA512

          bbfdd01b4f80cc51802294fbed03ff8a1ebbe12e20f29843856bfa41f85056d1085965ce39796897d2d33f9cb65060f803f55f208584b0b1cf7c84a18c7294ea

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          242B

          MD5

          e91e023d755e080c5fbdbc12303366f4

          SHA1

          f5fb5250162685a8759fcc23beab3be68b467f5c

          SHA256

          8b5d0824d691e39dade87adb4dbc54abb4b1bfed713c95719772bfe2a2ab39cf

          SHA512

          7ae705f0f3d3cc09c37a4a16e873295edc2d07367e00b5dd101308acd28ce3031cff71ec165e74939bdd61383a580b71928cea37fcad258fe3717d5cb43b3752

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
          Filesize

          13KB

          MD5

          a07a2608b0d895aace435a3c15f65120

          SHA1

          ac2aae99bc332daa7419db1f06ac50e1ba7f3102

          SHA256

          a52096606a754907e52e8b472399043e93ee064baeffe9746bd7bb807a8e4e55

          SHA512

          ebc6c97ffc8add0f676dfe5e114d91c8b8d1c49d51bc4ebaf1a23fc32e4e0cdb29d8550623eb32fdb54a9d0165ee76a4f8214291c13edd87cece23d5ead013f7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LPC807XV.txt
          Filesize

          601B

          MD5

          cf6dca275cfd4bedfa736dc97e674941

          SHA1

          6507bdfb062b24a611e47fb2d90e16ba7e84af74

          SHA256

          b5988c597e8de543833090fb22a1058735c2eeba3cd9b5737739b02791df7cf8

          SHA512

          cb367b33b7de0de090e70a83706433f7d56dd8dda2179826dd0fc3f7d1e0370bf9d4e81a8563908e79a3baa52e540488c5cdc12a6723b8a6d75a7439901184fb

          Download Submit

        • memory/1772-56-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1772-61-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1772-62-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1772-63-0x00000000030D1000-0x000000000361D000-memory.dmp

          Filesize

          5.3MB

          Download

        • memory/1772-64-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download