Overview

overview

10

Static

static

d34fbe9ec9...a0.exe

windows7-x64

10

d34fbe9ec9...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0.exe

  • Size

    493KB

  • MD5

    aa5baceedd152402651c8c64dd859dce

  • SHA1

    d55766c28cecccb6f0b4c6401cb779d4307c7800

  • SHA256

    d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0

  • SHA512

    02c1eaca00900c673ce43e7eac49dedf2127cc5ac80f8d2468b9961653013e052f3bdd768c7fe8d8a1a7344a5a898f51fa21886c1b69450508207340a9fb5eb9

  • SSDEEP

    1536:9NhENNo2oa5pHwAVvu0IysOPv3YdI3EpCK+V5iR/yKoDn66XujshkGXE7rFKh:9gN5ogyJ0XgdsEIKlyKo26Jkj7rF

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0.exe
    "C:\Users\Admin\AppData\Local\Temp\d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0.exe
      "C:\Users\Admin\AppData\Local\Temp\d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:2608
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2552
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4356 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1304

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        38a9ee40b61155284982e2fa94ecabb8

        SHA1

        48847436aebb7737c0ffb7a1c7890b97277372ec

        SHA256

        39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

        SHA512

        1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        416f43a5e5978e25d0b2b3804604f9eb

        SHA1

        71da8e406f52bb253c6b3932e24038dd593521a9

        SHA256

        457ae2aca2600e218804f138f83fb6f5ee451a0694cff806f97f15f5b00b1917

        SHA512

        0ece1d0ffa3cebd377155244da084f25206cda3ca499adf63eceab3b157598a2e290352120900563ece8938183b2a090dc527461eb4a197310abebb82103fecb

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        23c896e3fc14b0352780bf8710ebd27a

        SHA1

        f80cbc14c2447f02c067cc2c126e105b552d472b

        SHA256

        df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

        SHA512

        230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
        Filesize

        472B

        MD5

        a23d14e29a03340350eedf7deeb335be

        SHA1

        34645a7b8af30e7e80820ccf7d3e12ae2c562c81

        SHA256

        10aac9bb1946b24c335f10fbe1c0a83c10ed95a6503d97a5eb510107214741e5

        SHA512

        2f394afca265d53db58c360dae75e2993e0cd1a5598a5b8a34a95e09d1c2e7d138c15f18fa7e7ef957e90d50f4dd4024e2dc22afd8e39aca9cffefd9bb14f98c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        5f690ec1f3c276ebf2efa289ac0704b7

        SHA1

        6093eda8f334aac6aa235f616a5c4cfefea7538e

        SHA256

        03a0b5f140fe3bc61a420238ebc78e2e7af1077a9b5c61d1f411f66e78f39680

        SHA512

        4828864a521f478b99c73d9e6c1149b669de5a03b490b73786b3e26b97f8706c445ec908026f90ca93556f7b79a84ad9a82b233cb6d7c836c4b15e460c42c609

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        9a7786f62904854eaecfcbf9be8dcbd4

        SHA1

        57e4fa6802c0603e682fc40b089bcb3e514f4b42

        SHA256

        94c9b092a04ee6ebf2d1c7c46cd40d5dba7ee6f289db039df86b540a3c5cad1c

        SHA512

        175f072b204edc7c2a1431775f853457662bcbed85f23e8e0da4bf41fa977a0b99ca8d55a6650760f1628c89e6e27de440ed5bd454fe4834e5b41a4cc6428b82

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        7bf3967015ba0a6edcb442235a143ff3

        SHA1

        ce349a8af0fdc34dd1964d56b7ea53c74c3e3c09

        SHA256

        a578a26863aca1bd90794ce25b5f18ea96f1ec48ca566f699f553f0a653cdea4

        SHA512

        5b8c0468038ac1b8842456c5da1710787a3d885525c322e81b0fcc2fc435566259d35edd1d0a8d2463082bc52293482c4ab876a1ddfa6f315de8b41aa030b4fd

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        20ecfadeba8cb5b8be9b8e41a94d65b9

        SHA1

        fbf19fde9c32bfcbf7c0a0f5c427ea29a5cf026e

        SHA256

        815ba2cd02e0197d1dcc3aaffa04a4a5bf6c958f0e0fa537167950f0ca1db488

        SHA512

        96f3dd8f5c52af11301cac44c21e8553c2a29f5f3fd228a1c690adafc8fed4194b102b3c1f48c931f3ad197f40c0f9263e5cab126b58ea418ce8e35356db5753

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        20ecfadeba8cb5b8be9b8e41a94d65b9

        SHA1

        fbf19fde9c32bfcbf7c0a0f5c427ea29a5cf026e

        SHA256

        815ba2cd02e0197d1dcc3aaffa04a4a5bf6c958f0e0fa537167950f0ca1db488

        SHA512

        96f3dd8f5c52af11301cac44c21e8553c2a29f5f3fd228a1c690adafc8fed4194b102b3c1f48c931f3ad197f40c0f9263e5cab126b58ea418ce8e35356db5753

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        493KB

        MD5

        aa5baceedd152402651c8c64dd859dce

        SHA1

        d55766c28cecccb6f0b4c6401cb779d4307c7800

        SHA256

        d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0

        SHA512

        02c1eaca00900c673ce43e7eac49dedf2127cc5ac80f8d2468b9961653013e052f3bdd768c7fe8d8a1a7344a5a898f51fa21886c1b69450508207340a9fb5eb9

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        493KB

        MD5

        aa5baceedd152402651c8c64dd859dce

        SHA1

        d55766c28cecccb6f0b4c6401cb779d4307c7800

        SHA256

        d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0

        SHA512

        02c1eaca00900c673ce43e7eac49dedf2127cc5ac80f8d2468b9961653013e052f3bdd768c7fe8d8a1a7344a5a898f51fa21886c1b69450508207340a9fb5eb9

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        493KB

        MD5

        aa5baceedd152402651c8c64dd859dce

        SHA1

        d55766c28cecccb6f0b4c6401cb779d4307c7800

        SHA256

        d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0

        SHA512

        02c1eaca00900c673ce43e7eac49dedf2127cc5ac80f8d2468b9961653013e052f3bdd768c7fe8d8a1a7344a5a898f51fa21886c1b69450508207340a9fb5eb9

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        493KB

        MD5

        aa5baceedd152402651c8c64dd859dce

        SHA1

        d55766c28cecccb6f0b4c6401cb779d4307c7800

        SHA256

        d34fbe9ec9a27f20ccfd1ca034c6ab62d4fb958c6400cf3976c332cae10e0da0

        SHA512

        02c1eaca00900c673ce43e7eac49dedf2127cc5ac80f8d2468b9961653013e052f3bdd768c7fe8d8a1a7344a5a898f51fa21886c1b69450508207340a9fb5eb9

        Download Submit

      • memory/1940-143-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1940-133-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1940-135-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1940-136-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1940-139-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1940-132-0x0000000000000000-mapping.dmp

        Download

      • memory/2608-157-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2608-161-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2608-158-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2608-168-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2608-154-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2608-153-0x0000000000000000-mapping.dmp

        Download

      • memory/4852-144-0x0000000000000000-mapping.dmp

        Download

      • memory/4852-152-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4880-140-0x0000000000000000-mapping.dmp

        Download