Overview

overview

8

Static

static

f0bcb9de25...4f.exe

windows7-x64

8

f0bcb9de25...4f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe

  • Size

    208KB

  • MD5

    d770b3b7796bbf4caca7d8885cddf5a7

  • SHA1

    6278c627b967a0f46201cd77e48338d7061271c8

  • SHA256

    f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f

  • SHA512

    69c481f6227854cfb6c43d7a5ed1324f3d1fe4964a40b52e7549d5770c7b481f1931e76f8251edefb3fef9be60dbf81b9b6e74ce9509b3b66b5c350410215f2d

  • SSDEEP

    6144:gc7/0wU6orOacpyXaDmlc0IuQM97WfMbeRmDmq:gdwU6oXcaWvv6

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
    adwarespyware
  • Modifies registry class 60 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe
    "C:\Users\Admin\AppData\Local\Temp\f0bcb9de25708f3ff7e5b380243d60d78cf6554178e2412383d80b0725a7e04f.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1744
    • \??\c:\Program FilesHH5V34.exe
      "c:\Program FilesHH5V34.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:896
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forxuyan_0977.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2024
    • C:\Windows\SysWOW64\WScript.Exe
      WScript.Exe jies.bak.vbs
      2⤵
      • Deletes itself
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program FilesHH5V34.exe
    Filesize

    36KB

    MD5

    24b18a0bedbb1183d5fff889a245b75d

    SHA1

    2fbd780f06d7f509284113bea5465601764cd14e

    SHA256

    c853c35f67aa1ceef3ccccc32479c165a4530dc64e48ed23fcfd676bb01db090

    SHA512

    8d44bcb7392c46410023cfb2691b4b2cba340fdf9561a02b09f55913743568ff463799e218352adaefe4989f86e457e1f9fc3887134cf7b668d6cd2e5b8a4d19

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E680311-6B23-11ED-BBEF-F2255ECFD43B}.dat
    Filesize

    5KB

    MD5

    780046f1adb4f342530f72f75400f4c9

    SHA1

    428a167d910efdf70eb0759375bc228c7885d322

    SHA256

    88eb5836ba220081c0c8c51cf3df3b4fadbf14e820015d605fe05d0218171090

    SHA512

    1e4bfa43d6d531be480b869e7f18b7b286090b3449dde8ea5bff9bc51d115193d39d10fa1b00f5b6a828cff321f9e2462cde40044ad497311960dd32cf09229c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs
    Filesize

    486B

    MD5

    92cb80c5994e0a192e2abd64a4b65122

    SHA1

    011cc840d3785bae845facb5c36eae8763106533

    SHA256

    db3564396bfdf5a635c37b374da65eb6ce64e0935ea7478bf8522e8a5b05330a

    SHA512

    3bc02ad4aa06aaae5d3f63e5f25af5bc1554d8b9031435a5686f3ecf56c09e7c17439c4cfe1888800b83bc2e5c602e199c6c5e3239a1c39e7ad26403680d631d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z5N50B90.txt
    Filesize

    603B

    MD5

    ec11886e713ca02279a72bc7d19c663c

    SHA1

    d45f4c75c0b95799da979ebffcf2971daf183fa8

    SHA256

    7c5e309d169ebc07adbc7edfa95282448e328308d6820202a809ead9a5c5540f

    SHA512

    9992775da9615bc956922b909c61fa8c547873cb096d6a07b99dd5d31aeacbffc2b0f25577f0e9a3b27ed975b0b65db078cc2fba5fb8564c703423823649ebbc

    Download Submit

  • memory/308-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1744-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1944-62-0x0000000000000000-mapping.dmp

    Download