Overview

overview

8

Static

static

1

011a913d15...39.exe

windows7-x64

8

011a913d15...39.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    011a913d154e5c98cc6d319a52dbf2a00bd782d219d72133c1fdbf806875b339.exe

  • Size

    349KB

  • MD5

    a02c0cfe9f6d4d93b2eac7b0743c9a6e

  • SHA1

    6d78d9e5f0ede4123eb521cb13e57322d1cc973f

  • SHA256

    011a913d154e5c98cc6d319a52dbf2a00bd782d219d72133c1fdbf806875b339

  • SHA512

    58c68c0589e591d449be44a52f9830968f7a2ad064771e1bcfcd2a437a22b6bdde5a323747ce6a742f41b6aa81913f9bf52200a0285db88f886a7ccf5b03c244

  • SSDEEP

    6144:ye34Q5Lnu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+FAu:6EJXs1q2N1906jidGUZLcb+FF

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\011a913d154e5c98cc6d319a52dbf2a00bd782d219d72133c1fdbf806875b339.exe
    "C:\Users\Admin\AppData\Local\Temp\011a913d154e5c98cc6d319a52dbf2a00bd782d219d72133c1fdbf806875b339.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk53.icw"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWow64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk53.icw"
        3⤵
          PID:1956
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1812
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1184

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\EditPlus\kk53.icw
      Filesize

      132B

      MD5

      da4c29b9c6ad4d8deeca78f6aa617e89

      SHA1

      46bbc86b6d7ad996a103679a9faa49a96fac30f5

      SHA256

      40805eb8f47416f3bc600f54cddb73e1daa82b65c9a8abdf9626010b61e1463f

      SHA512

      c61e9426f5ec789b371b5cf65de72f33b8e4aa057a29351c6f62c823aec69b23c9ea8397b931de0cfbd7c1f952c1d98bede36d65f5df7ef98a8a591e8fa31431

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JMOZEHLQ.txt
      Filesize

      608B

      MD5

      bcd7602652189915ba5e7c444b5c6d3d

      SHA1

      8a8ecad5c3f22387bb2ee8778ad9b1584b651a1f

      SHA256

      f8f291684fa1f2795f441fdef2754030936406a8fc596e2dcfca4c2a3e6ff3ee

      SHA512

      4cabcb0cd14d12b0a3690265df4337d816fea053f24b2a258611ef509b183501d6083e9a451d1d0724e8e62c382a27d037043f3733511ef769fa9a87c0643a09

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk53.icw
      Filesize

      842B

      MD5

      4c43166a8270d0aedc35933285d958b5

      SHA1

      7c20090c0948ac417fe5e127d4a9a318cce6d4df

      SHA256

      8f57f2e1e086ffbe373f94e4936a2388724202333b0c50689f7fa09995e0d1da

      SHA512

      cf5eccf13664661b063138c6d680239618e4cebad1c9eacaaf51dc00591ab307012c019d6fcace761250b30d4da0a93f61c9c28c62b79fe21e51ae3df539ca8e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      d07bbbe83fdf724da60c885b527b1cb7

      SHA1

      59b2e8e4f94348ea8b53fe8e5faea2ceb6beddcf

      SHA256

      b0db29b069d63ab9adad2ba43aa12c9ecac8f3ddf6f9c1ac9c05615c5f7fb664

      SHA512

      034efdb6ffe253345ea1c6348abc64a1eaf2c6ae674ea6f5c2deccb100c53045cebb645a19648a25b1adc53fd13968ddd9e947805e5ee8d3ea7a93b7ecef126b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd31BC.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd31BC.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      acc2b699edfea5bf5aae45aba3a41e96

      SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

      SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

      SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      d07bbbe83fdf724da60c885b527b1cb7

      SHA1

      59b2e8e4f94348ea8b53fe8e5faea2ceb6beddcf

      SHA256

      b0db29b069d63ab9adad2ba43aa12c9ecac8f3ddf6f9c1ac9c05615c5f7fb664

      SHA512

      034efdb6ffe253345ea1c6348abc64a1eaf2c6ae674ea6f5c2deccb100c53045cebb645a19648a25b1adc53fd13968ddd9e947805e5ee8d3ea7a93b7ecef126b

      Download Submit

    • memory/1692-54-0x0000000075921000-0x0000000075923000-memory.dmp

      Filesize

      8KB

      Download