Overview

overview

8

Static

static

e75ce0629d...98.exe

windows7-x64

8

e75ce0629d...98.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe

  • Size

    1.6MB

  • MD5

    e79441b4ee155de683b050dd9873ceab

  • SHA1

    3e0964893f307e16f42ec40a5f45bb1e5522b991

  • SHA256

    e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

  • SHA512

    f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990

  • SSDEEP

    384:1LsxK3F8+KVDWED/+D0YfxGV9SpRk854PmE3BcowRsbQywLT9npzl+1tln5y1kzg:VsgG+nEDOdfk2ps3GFsypMt1uZrV

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe
    "C:\Users\Admin\AppData\Local\Temp\e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SYSTEM32\RunDll32.exe
      RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Windows\system32\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
        3⤵
        • Modifies registry class
        PID:376
    • C:\Windows\SYSTEM32\RunDll32.exe
      RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
      2⤵
      • Checks computer location settings
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
        3⤵
          PID:1200
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:1 WinX:0 WinY:0 IEFrame:0000000000000000
          3⤵
          • Drops desktop.ini file(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4948
      • C:\Windows\SYSTEM32\RunDll32.exe
        RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:0000000000000000
          3⤵
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4232
      • C:\Windows\system32\iexplorer.exe
        "C:\Windows\system32\iexplorer.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\iexplorer.exe
      Filesize

      1.6MB

      MD5

      e79441b4ee155de683b050dd9873ceab

      SHA1

      3e0964893f307e16f42ec40a5f45bb1e5522b991

      SHA256

      e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

      SHA512

      f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990

      Download Submit
    • C:\Windows\system32\iexplorer.exe
      Filesize

      1.6MB

      MD5

      e79441b4ee155de683b050dd9873ceab

      SHA1

      3e0964893f307e16f42ec40a5f45bb1e5522b991

      SHA256

      e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

      SHA512

      f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990

      Download Submit
    • memory/376-140-0x0000000000000000-mapping.dmp
      Download
    • memory/428-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2764-132-0x00007FFD7C800000-0x00007FFD7D236000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/3424-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3424-139-0x00007FFD7C800000-0x00007FFD7D236000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/4232-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4560-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4772-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4948-142-0x0000000000000000-mapping.dmp
      Download