Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
21-10-2022 04:52
General
-
Target
4b5de56e33e310e79076fc2a4fe182bc30284608d8029285b09d0b12b7eb2e98.exe
-
Size
252KB
-
MD5
427e35a6495f37a96d047f1c4ae1ac86
-
SHA1
d1f983fc45f1d51216a61ee8a3c23e1c1fd1c7d5
-
SHA256
4b5de56e33e310e79076fc2a4fe182bc30284608d8029285b09d0b12b7eb2e98
-
SHA512
11ec58af55a6741d0cfcba5554ecc21cd1c2afbed06a1bd55aa4af631bd201c16755f52048819194e00022dc9d3b7c58327f46abaa5cce2b88c3338a457caf1a
-
SSDEEP
3072:KCtFBrDkiap75+blxPCMwy6K9MHecBQ41pBys8:KCtFtDg9sSS0HeQ8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 20 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5de56e33e310e79076fc2a4fe182bc30284608d8029285b09d0b12b7eb2e98.exe"C:\Users\Admin\AppData\Local\Temp\4b5de56e33e310e79076fc2a4fe182bc30284608d8029285b09d0b12b7eb2e98.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\simc.tmpC:\Users\Admin\AppData\Roaming\simc.tmp2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:25⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\smap.tmpC:\Users\Admin\AppData\Roaming\smap.tmp3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4B5DE5~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52b99b7f66b8ebba3071330bcbaccc022
SHA11a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52
SHA2563ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09
SHA51203671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD566255a9ad2f8d7deaa5577ca57942871
SHA18003fcd6cf3edd5b053b2765c7178ae90832f370
SHA256553e76f0372969152c699aa8f02d0610114492cf1a0386cd425a6b6e861aa197
SHA512895951abacd29c28e2970096db9e694626952791f4ff84a77c4f584baae80eb9ef7206fa501d671c6983c9c08cce9016a6a572b65d79fc9f5da39cea9e2d4a04
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
12.3MB
MD5bfb615a3ca53900b21a90b2e56a11621
SHA1f48f5bc10a31185440708e17cd006265d6431c2e
SHA2569f4319171d80bd173e12e08a049c4fac850197e2ad9602aea074a83d4b16f64a
SHA512aa7eab7ef650340d6bf1d877da8145dda93b32bc93c80cde51a0d82522bf0cacf0d29589c411e6d202f83cfc0dbea62b94b239bba2b35fac271e8ab7ffb46272
-
Filesize
150B
MD5a46b691be5eee69ff975ca45c311f018
SHA13b9bed578b7554252eb88f900ce398f25d01910a
SHA256a29ce165a0fbd6c8dfec21c891ac2a4d385ef1f7b29e92ae46b131e6694628f4
SHA5126b8acaa1871b6cb8d68bbabc48146b56f267abb329b9ac2357ac70911fd15bd668ff49260e12d54812fd4f066eed67e311414828ddbc3b9068b8b998edb9c08e
-
Filesize
2KB
MD53d15f5598c7304d4620c459d16b672d6
SHA1d5fd318f2347ef63c062aef5658c5ad5934107c6
SHA25630d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6
SHA51209c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10
-
Filesize
691B
MD597f94bb975876582715e95f7751546bb
SHA1e1b07092d2454c2d95d8aa76bb44feedae59ce3e
SHA2561b6df88776e4b304fe01c9f495e16fb7116a5eacea2579ea07146a6e2324f7c1
SHA5127d1823c36abab4723094255fd98bfac8d9797f2e5d1c56930927e872ccb0f175c9046d63aaccb8ef3ebcd79adccb779c095e95cd277b383bf8c4f4ac4f2782f5
-
Filesize
89KB
MD573d7f1deb9b0c07394fabcdee5e94f30
SHA18d5b3e57aa38f90d52a6e715be2ae1599ca1b6da
SHA25694ee739dc94d50fbe2fba725f73fc5fd057240170557a5cd7f3463688479864a
SHA512cbac201973d8286b02753f94d9ed889a88fa8995d66aacc2886e480b2f73d1320a4f40f28932bf345e9cfcb4ba610ce6a5b966ca14b54b2389e40d2d8d5aa77a
-
Filesize
89KB
MD573d7f1deb9b0c07394fabcdee5e94f30
SHA18d5b3e57aa38f90d52a6e715be2ae1599ca1b6da
SHA25694ee739dc94d50fbe2fba725f73fc5fd057240170557a5cd7f3463688479864a
SHA512cbac201973d8286b02753f94d9ed889a88fa8995d66aacc2886e480b2f73d1320a4f40f28932bf345e9cfcb4ba610ce6a5b966ca14b54b2389e40d2d8d5aa77a
-
Filesize
37.4MB
MD590a74b26176df3e91c75496d8656e2ee
SHA1837c5533f9e5fcfb05cfb45f50db63a4e4e1f1b8
SHA2565680412130edde0e62524b993625305774eabe5824a1205591748baabf5b1286
SHA512c20ca8f196bcd1d2d32b78f3d3e6b56b7572eabe5065438451088794ace009e60ca3788c8a60ba355d6781950460b623613d990a4ec84bafb934a2eb37cf8dd6
-
Filesize
35.6MB
MD565d4c2fd64c37156c05446815ce2b8d7
SHA1965ee5ea819b08b906fccffaa519f9a79d1f4279
SHA256e602d12427ad7d3701ec323c33607ee17a266db9e60b3ed6836737846ca16741
SHA512d3a40d6f42ae91b0d631325418bc7443a9d0457efb886c6e0f03d2fda180c32aea9282325108505224b12dd7eb97fd10f92242d19dfda9ecbbbf2c739c2fb208
-
Filesize
89KB
MD573d7f1deb9b0c07394fabcdee5e94f30
SHA18d5b3e57aa38f90d52a6e715be2ae1599ca1b6da
SHA25694ee739dc94d50fbe2fba725f73fc5fd057240170557a5cd7f3463688479864a
SHA512cbac201973d8286b02753f94d9ed889a88fa8995d66aacc2886e480b2f73d1320a4f40f28932bf345e9cfcb4ba610ce6a5b966ca14b54b2389e40d2d8d5aa77a
-
Filesize
89KB
MD573d7f1deb9b0c07394fabcdee5e94f30
SHA18d5b3e57aa38f90d52a6e715be2ae1599ca1b6da
SHA25694ee739dc94d50fbe2fba725f73fc5fd057240170557a5cd7f3463688479864a
SHA512cbac201973d8286b02753f94d9ed889a88fa8995d66aacc2886e480b2f73d1320a4f40f28932bf345e9cfcb4ba610ce6a5b966ca14b54b2389e40d2d8d5aa77a
-
Filesize
38.1MB
MD55ef48ef01976d5a805550acdd8df9261
SHA11c439074b8cfc7c582915dd676283b853d45418f
SHA2563f9c544f3d6f51291ae90f83c9336d365860837646d3a2487594998ee516a8f9
SHA512b10065212374258d08693b08a2ededbd385988d4fab2d58cfcc3a87c1aa18d66481d08129dc337178a67e20a9f288834527c51eaeebc3ddc8e7ba98004cb7d41
-
Filesize
34.1MB
MD56b9af760ecbdc36db4bd77cec29a0c19
SHA1d28a4b2299a9af6a31341e1169ecfe5bc0e28b02
SHA256dc133b71b0a60ee077a509ecf5f94d9af75793aa65587293484e37b289d5b254
SHA512db802f71acab29741bf3faeaabfe425f35bcee769e830f042404707bcb056633bd4402658f0fc3b87cb27b50566d8d6c1450587f0dbf7a9c5cbf206ea7816646
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
252KB