Overview

overview

8

Static

static

1

559a4a537f...f3.exe

windows7-x64

8

559a4a537f...f3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 14:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    559a4a537fbcf3facc9660a9023989262e93b7179d5ddb632f9194b01e7ba2f3.exe

  • Size

    349KB

  • MD5

    904a4fa9d49ef0c14b477ed6aa916f2e

  • SHA1

    2c5cd08f948acc70d10b9c894d86fc4473cf633d

  • SHA256

    559a4a537fbcf3facc9660a9023989262e93b7179d5ddb632f9194b01e7ba2f3

  • SHA512

    97bea521a627f275bf66b277d68d491548a81f5bc3f0571f9eb0679b3849ffb16fae306c4224b8aa97caa00101911b146633ee19ac6d9e711ab931aa0c811bb0

  • SSDEEP

    6144:ye34Znu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+F3:REJXs1q2N1906jidGUZLcb+F3

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\559a4a537fbcf3facc9660a9023989262e93b7179d5ddb632f9194b01e7ba2f3.exe
    "C:\Users\Admin\AppData\Local\Temp\559a4a537fbcf3facc9660a9023989262e93b7179d5ddb632f9194b01e7ba2f3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk08.icw"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk08.icw"
        3⤵
          PID:4328
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2032
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4324
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3900 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1040

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\EditPlus\kk08.icw
              Filesize

              132B

              MD5

              40c90605f008d041bdb6d3897661a87f

              SHA1

              85ab92e38892f62ba34976c39d70654e00e51ac4

              SHA256

              8b2855f3ca90d537a1d83c02b50775fcdb7f9ddf6bda732b6fbced8fe33245a2

              SHA512

              aa7845b6c09765000b658ba4981722d88f5b14586b1d06964d47f5066387ec8454b561573a637519421ca3fcdcca5eb87b3cee6f036dcca248ba07a85dabeae2

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              6a15e3564b9eb382fe5534f59d6fccb4

              SHA1

              911dbc1a988c2d6816beb0c21c4ea5402253b884

              SHA256

              6b478c66c9a2024177d4a478ccea9a82f3162aa87a5125a0dc3750c920bdbc62

              SHA512

              2801f46d495eed08dbb10e73ccda4828faf4ef6b1ff3ff45ce8d73331e692381c25417d15c958f8c3f9c6932300cd0e66b1aad6bb5a92e2bf27b338b6d245711

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              402fe01395940d9e00b82d9534974158

              SHA1

              fd4919f6196ed90addddabf21ca3bdc3ee02bdda

              SHA256

              e23d6bd4da7191857ad42be2ff2a7bea8a5254696d96ae27cbf531689ce76485

              SHA512

              1bec83fb99af67e76478506885649485d213b64a993e8fb4af68d1cdcc9b77b7786599664d479cbe0b83dead1b67c08cf83eecb5877ec51d34e3cc14aa4d3b8a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nssE7E5.tmp\System.dll
              Filesize

              11KB

              MD5

              c17103ae9072a06da581dec998343fc1

              SHA1

              b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

              SHA256

              dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

              SHA512

              d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nssE7E5.tmp\nsExec.dll
              Filesize

              6KB

              MD5

              acc2b699edfea5bf5aae45aba3a41e96

              SHA1

              d2accf4d494e43ceb2cff69abe4dd17147d29cc2

              SHA256

              168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

              SHA512

              e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nssE7E5.tmp\nsExec.dll
              Filesize

              6KB

              MD5

              acc2b699edfea5bf5aae45aba3a41e96

              SHA1

              d2accf4d494e43ceb2cff69abe4dd17147d29cc2

              SHA256

              168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

              SHA512

              e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
              Filesize

              44KB

              MD5

              7c30927884213f4fe91bbe90b591b762

              SHA1

              65693828963f6b6a5cbea4c9e595e06f85490f6f

              SHA256

              9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

              SHA512

              8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
              Filesize

              44KB

              MD5

              7c30927884213f4fe91bbe90b591b762

              SHA1

              65693828963f6b6a5cbea4c9e595e06f85490f6f

              SHA256

              9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

              SHA512

              8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk08.icw
              Filesize

              842B

              MD5

              fbd3ccae13789914ae4afa96d73f2042

              SHA1

              47a3d85b103bbccfae81f6bd5fd391cf475d5856

              SHA256

              49a59a5b72f0ded21e5650fbd5b31e6dfd65f60424f4f2945616127d7285cf78

              SHA512

              a55feb7964ac9c15f0c52a1b07318282074d7f8a1170e986c499ee290b58cdd041b3f41c4b4dcb2cef1bf98e6663433a9910b82bf75102a5c522cdfaca070733

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
              Filesize

              80KB

              MD5

              5be4eb5fdadec491b400154856934411

              SHA1

              08fe0f77953b2f9551f31b866af1979abf17fb76

              SHA256

              4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

              SHA512

              d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
              Filesize

              80KB

              MD5

              5be4eb5fdadec491b400154856934411

              SHA1

              08fe0f77953b2f9551f31b866af1979abf17fb76

              SHA256

              4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

              SHA512

              d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

              Download Submit