Overview

overview

7

Static

static

0bcfcc85e6...30.exe

windows7-x64

7

0bcfcc85e6...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bcfcc85e6a2de500bf258d91e6767ba41beaaa34832128b626cf601a514af30.exe

  • Size

    610KB

  • MD5

    a7c9dea231011cd6e2c93fa3a4bea93e

  • SHA1

    16553927551ad794671994e8b98029424e8403ac

  • SHA256

    0bcfcc85e6a2de500bf258d91e6767ba41beaaa34832128b626cf601a514af30

  • SHA512

    97aa210eb380aa86463daacf55761e0b5e521a0e0b026e01479f55cf951cc46c9d9e4b6ef7eb5aefdf9b8cc7bc15415347e30892972f21de0d6acbc6f6aca496

  • SSDEEP

    12288:AKQitq/nbnk7GNU03N3xeYCNihX8nr31sg5p+p4r5oObQOldoNt48:AK8/jrUOkYfXArT0kAt

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bcfcc85e6a2de500bf258d91e6767ba41beaaa34832128b626cf601a514af30.exe
    "C:\Users\Admin\AppData\Local\Temp\0bcfcc85e6a2de500bf258d91e6767ba41beaaa34832128b626cf601a514af30.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
        3⤵
        • Adds Run key to start application
        PID:636
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275461 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:840
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:799754 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1400
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:603161 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1780
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275482 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:640
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
        PID:1140
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
          PID:1040
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          2⤵
            PID:676
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
              3⤵
                PID:964
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
                PID:2016
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                  PID:1184
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                  2⤵
                    PID:2288
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                  1⤵
                  • Suspicious use of FindShellTrayWindow
                  PID:392

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\foto.jpg
                  Filesize

                  61KB

                  MD5

                  5b69b874373869f21ba11d0adee96a4d

                  SHA1

                  5e9e66fe374ce3c6612f7c29c74e0d8c286a5f8e

                  SHA256

                  5f2559a6c6eabf7ac862e4e44e7364109fb0784ca3b4512827b9a37c5b44739c

                  SHA512

                  a366fc122d2102dd31438af54ad8ea987b2cde867781f1f94ac2a4bbda9d3083f58db53aa880e63bd428b9b527e9652cfa0ecf3f219fd215b22d42173d6ce698

                  Download Submit
                • \Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe
                  Filesize

                  610KB

                  MD5

                  a7c9dea231011cd6e2c93fa3a4bea93e

                  SHA1

                  16553927551ad794671994e8b98029424e8403ac

                  SHA256

                  0bcfcc85e6a2de500bf258d91e6767ba41beaaa34832128b626cf601a514af30

                  SHA512

                  97aa210eb380aa86463daacf55761e0b5e521a0e0b026e01479f55cf951cc46c9d9e4b6ef7eb5aefdf9b8cc7bc15415347e30892972f21de0d6acbc6f6aca496

                  Download Submit
                • memory/636-61-0x0000000000000000-mapping.dmp
                  Download
                • memory/676-106-0x000000000044503E-mapping.dmp
                  Download
                • memory/1040-94-0x000000000044503E-mapping.dmp
                  Download
                • memory/1068-65-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-62-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-63-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-66-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-68-0x000000000044503E-mapping.dmp
                  Download
                • memory/1068-67-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-70-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1068-72-0x0000000000400000-0x000000000044A000-memory.dmp
                  Filesize

                  296KB

                  Download
                • memory/1140-82-0x000000000044503E-mapping.dmp
                  Download
                • memory/1184-130-0x000000000044503E-mapping.dmp
                  Download
                • memory/1924-60-0x0000000000000000-mapping.dmp
                  Download
                • memory/2016-118-0x000000000044503E-mapping.dmp
                  Download
                • memory/2032-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/2032-56-0x0000000000B76000-0x0000000000B87000-memory.dmp
                  Filesize

                  68KB

                  Download
                • memory/2032-55-0x00000000740B0000-0x000000007465B000-memory.dmp
                  Filesize

                  5.7MB

                  Download
                • memory/2032-57-0x00000000740B0000-0x000000007465B000-memory.dmp
                  Filesize

                  5.7MB

                  Download
                • memory/2032-58-0x0000000000B76000-0x0000000000B87000-memory.dmp
                  Filesize

                  68KB

                  Download
                • memory/2288-142-0x000000000044503E-mapping.dmp
                  Download