Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2022 02:44

General

  • Target

    75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b.exe

  • Size

    696KB

  • MD5

    5664cb66c77c970bfcd2c7ed7f81a3e6

  • SHA1

    c193db82c860897177420582c7d09cfbbf1bc673

  • SHA256

    75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b

  • SHA512

    74873839ef687d3d959054bf41628bf9bc4e44838d5ece0d83db010db1ce5c52498e8e57d49a82b87f1e0f77f5a5b460769cf0d8b5ea865347fd26e62a419228

  • SSDEEP

    3072:5LZzP4bOZZMpM7s7oZk/nE52Gs3I3PCSj10P8kYNUoout:j4YoS

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b.exe
    "C:\Users\Admin\AppData\Local\Temp\75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1752
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3040
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4236 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3420

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      2KB

      MD5

      bc68c4ccb08d2c94eb10c1918865ccae

      SHA1

      8256faeec3f3ec799819d5370195a60f0ec2bdb0

      SHA256

      79313c35e9f5655225ab6d4564a396cf9d473d04909c04db10935c27959f677d

      SHA512

      f6baa632cd93126c31a495e340e8f42e3f9b171b0975877e7a6725677fe57c8b51784be5366cedba022fea273cfe9ecfc5fce8546f2a76e1e6516e5865666933

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      7550b85aee4221c59808672005ed8855

      SHA1

      aeb269eff06f518132b9ecea824523fa125ba2d2

      SHA256

      2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

      SHA512

      216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      ee895cd37d1bbafdf7a736b85dd47348

      SHA1

      5c182ae0d6ffc54c386763ad882256cedd8d0e7c

      SHA256

      939346daba2e0757e14e822fd55350189708ac8d2d782b148e1744ee85c49aa5

      SHA512

      b2f86fa2f14864ab155693804f0d5da4f13e0c9257743eb7376d49a6ce77d950f6e98bbda24030386578c0edb58f4ad3e50eaec2dcc10803a7dd314d703cf740

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

      Filesize

      472B

      MD5

      bc9d91e603826848b7eeca18c58a038b

      SHA1

      d669e8d42a8e7a3e8395efa6229ef0b745253911

      SHA256

      6f704e38d9b114b245d0834c0869ac0eeb930de03f20a5a626efbafdbd0f5517

      SHA512

      75f24db37a299f4326fbeb4a670d8c75cfe77312d69f83879f89a671a5861f9925c53a5e1f4153cc7b0a2b65962ea233c259d6e0e2986ce2ebfee1fdb8ab9763

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      488B

      MD5

      30afe2f56b1e5991cf0e70712f1ce746

      SHA1

      36072aa844cd82eabc739f9236d971926de6dda9

      SHA256

      0fb1098161de7827dad270d407e34d6f3943eaf419dcdfa9712d749ba2bab3c6

      SHA512

      4f6fac4d0a6ac8fbe59dec3dace35af48c03e6f3696f74acae321b015f68f769bd1adecb7be234819b522c5bee3ed7bb7dda222cf8a1c4e28c96d0b863b575c2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      434B

      MD5

      0d9e66dbc28f3d984ccba666154c9542

      SHA1

      563e4b8dd93f21112a56ec24efcd88397f64ec49

      SHA256

      13c9eb03db49606a693f14ff2b84e48452030ef45627463d8bbd7ec0d597fccd

      SHA512

      7a0852e636a68e62c3581c6dc7a9f53ce75f8f1f9a5f1cc91ced651da48aeb761bc94fa284fbaf8f47503ed81989c8535536220f40ad5a4983baca70ab9caff5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      25596f0e4dacdc2ddf7019496c773b92

      SHA1

      49196fbf3125512452f44d60ddee43766424d5e7

      SHA256

      964ed6ec16a61bd19463c66717c9e34365d9b0d23d8c9ff78c4138e97b310c7b

      SHA512

      138ed081e3c8544575623ec11b77eda9992dd1950ba12b5d71181013159cf5bdc24690902d657fe2f70e99f25b8bd33b3ed3a97b52d85908076933e9d2c9e8cd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

      Filesize

      480B

      MD5

      42ecde34f3354d196bcc337826c9dd0c

      SHA1

      68aee808d91ffb298d8a2b826b788c1e4d062dad

      SHA256

      d3271e5292b0d13c3001c71d4ec5fc6e25a82ff770ac5ce3e3b2e6290a437276

      SHA512

      96cd9a73100ceba36349ec5cfea1c1555418ffd5f867accfaf1f2a9c23de8cd169b8c1ff12564f2d28c2160445492f21e88d9da269f8a2ab39bcff78e41017fb

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      696KB

      MD5

      5664cb66c77c970bfcd2c7ed7f81a3e6

      SHA1

      c193db82c860897177420582c7d09cfbbf1bc673

      SHA256

      75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b

      SHA512

      74873839ef687d3d959054bf41628bf9bc4e44838d5ece0d83db010db1ce5c52498e8e57d49a82b87f1e0f77f5a5b460769cf0d8b5ea865347fd26e62a419228

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      696KB

      MD5

      5664cb66c77c970bfcd2c7ed7f81a3e6

      SHA1

      c193db82c860897177420582c7d09cfbbf1bc673

      SHA256

      75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b

      SHA512

      74873839ef687d3d959054bf41628bf9bc4e44838d5ece0d83db010db1ce5c52498e8e57d49a82b87f1e0f77f5a5b460769cf0d8b5ea865347fd26e62a419228

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      696KB

      MD5

      5664cb66c77c970bfcd2c7ed7f81a3e6

      SHA1

      c193db82c860897177420582c7d09cfbbf1bc673

      SHA256

      75358a611f77f657dbd86b1aa400a00388c660a0514815d1b91de855455b4d8b

      SHA512

      74873839ef687d3d959054bf41628bf9bc4e44838d5ece0d83db010db1ce5c52498e8e57d49a82b87f1e0f77f5a5b460769cf0d8b5ea865347fd26e62a419228

    • memory/1200-132-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/1200-141-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/1200-135-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/1752-157-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1752-148-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1752-147-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1752-144-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1752-159-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1752-143-0x0000000000000000-mapping.dmp

    • memory/4752-158-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/4752-142-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/4752-136-0x0000000000000000-mapping.dmp