Overview

overview

10

Static

static

a9b05637be...29.exe

windows7-x64

10

a9b05637be...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29.exe

  • Size

    244KB

  • MD5

    f823136cc75e246328d0a41983fc63d4

  • SHA1

    6ed5ab4a7a16039c9a83b85281e1795c6e464396

  • SHA256

    a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29

  • SHA512

    4f1607d6938ebc690a43699e605381669195ad44f82a73104608791e7263db16cdb28350f5dd388cd94f87d30f3b327f647b54e7f120b1a75fc4e5ab9aea9b4b

  • SSDEEP

    3072:BOJoplT2mX2MIaVLXM0Lgqfp7+H4De2dN+K/p7ZwtD6:PlTTtIOXjgqt+0Zp1wl6

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29.exe
    "C:\Users\Admin\AppData\Local\Temp\a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29.exe
      C:\Users\Admin\AppData\Local\Temp\a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Users\Admin\E696D64614\winlogon.exe
          C:\Users\Admin\E696D64614\winlogon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:224
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1276
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3376
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3280 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        38a9ee40b61155284982e2fa94ecabb8

        SHA1

        48847436aebb7737c0ffb7a1c7890b97277372ec

        SHA256

        39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

        SHA512

        1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        e32d02ce684c01ef3af05fae9066160e

        SHA1

        29c7a6e8ed553ac2765634265d1db041d6d422ec

        SHA256

        b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

        SHA512

        e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        23c896e3fc14b0352780bf8710ebd27a

        SHA1

        f80cbc14c2447f02c067cc2c126e105b552d472b

        SHA256

        df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

        SHA512

        230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
        Filesize

        472B

        MD5

        176c5bdeeb799ec212e8b21126aa58d5

        SHA1

        02c76719828821643ec84cfe61ecb4499838021c

        SHA256

        eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

        SHA512

        a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        cc5b7917f2c6c3de551c656b24c58426

        SHA1

        3491e6efa5aba977c915a6e252a29e678a250772

        SHA256

        80859f23ac40bbb014cb5bb4da447efc22ed8ff2ec9a7e89a08f4ceba30349a6

        SHA512

        b5058425bf6b06040ca10d6a4282ecd74755ece748dbbfa9b04fbb759125eb22f0b68fd16adff29d70215446eb51830d97386adff1a8229f9328665d4080bb9f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        dfc8c7fbfb42bf2598ab90020f0feebe

        SHA1

        d0ef60e6a0214a894723d125499f4123c04f38bd

        SHA256

        e94846b014c39953dce29b5b69da703580bf26142eed3a845c8e14620fd4ea4b

        SHA512

        044c96d834691652b82c13329dee9fb5f88802f39634bd6fe90bcbe8d2b53e5b4d867afad36985c0fe0895901022b419b8304744d7a8f675a9a9dbf870daba6f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        4d3e75ff1e35f3a2269bd0ae41ae4628

        SHA1

        8bd0846373bce408c0c4cc2c6cdfd00927f11206

        SHA256

        7743150d5fac595d57c1b98eb95a42e9fa84b8db1d2dae11954f600b196516a7

        SHA512

        a75ba468ad7c318a7029caf3a7b1c36ba83c42b8b9d8dc58975b8a5d49b16caa230f00482ebdb1dff09f7888e7ddcb41ca3b7443cb9de5d6b5f29adf4b28cd17

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        36a9bfa8489ff41e06c183a63f1ebdfb

        SHA1

        0d1afbbbc8611ef75eb537e6300bd867a93c9c33

        SHA256

        8c278237e5a50566eabd5be2bf46a02efaa5ac8e62b4e0e2e9e3a2f37de41177

        SHA512

        09c27ddcad95a4f360c547171a805985dae1153fffff7b964ebb80ec8864f42e61f36e707989cf96c57ff0e277c391952183d0d57a280a0e0f3686bf750b5d16

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        244KB

        MD5

        f823136cc75e246328d0a41983fc63d4

        SHA1

        6ed5ab4a7a16039c9a83b85281e1795c6e464396

        SHA256

        a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29

        SHA512

        4f1607d6938ebc690a43699e605381669195ad44f82a73104608791e7263db16cdb28350f5dd388cd94f87d30f3b327f647b54e7f120b1a75fc4e5ab9aea9b4b

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        244KB

        MD5

        f823136cc75e246328d0a41983fc63d4

        SHA1

        6ed5ab4a7a16039c9a83b85281e1795c6e464396

        SHA256

        a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29

        SHA512

        4f1607d6938ebc690a43699e605381669195ad44f82a73104608791e7263db16cdb28350f5dd388cd94f87d30f3b327f647b54e7f120b1a75fc4e5ab9aea9b4b

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        244KB

        MD5

        f823136cc75e246328d0a41983fc63d4

        SHA1

        6ed5ab4a7a16039c9a83b85281e1795c6e464396

        SHA256

        a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29

        SHA512

        4f1607d6938ebc690a43699e605381669195ad44f82a73104608791e7263db16cdb28350f5dd388cd94f87d30f3b327f647b54e7f120b1a75fc4e5ab9aea9b4b

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        244KB

        MD5

        f823136cc75e246328d0a41983fc63d4

        SHA1

        6ed5ab4a7a16039c9a83b85281e1795c6e464396

        SHA256

        a9b05637be91f963cb0c8806af7dcc0093f4a210d68bf51c116ae03cf3628a29

        SHA512

        4f1607d6938ebc690a43699e605381669195ad44f82a73104608791e7263db16cdb28350f5dd388cd94f87d30f3b327f647b54e7f120b1a75fc4e5ab9aea9b4b

        Download Submit

      • memory/224-159-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/224-155-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/224-158-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/224-162-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/224-154-0x0000000000000000-mapping.dmp

        Download

      • memory/224-169-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1208-153-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1208-144-0x0000000000000000-mapping.dmp

        Download

      • memory/4356-141-0x0000000000000000-mapping.dmp

        Download

      • memory/5000-145-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/5000-140-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/5000-139-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/5000-136-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/5000-132-0x0000000000000000-mapping.dmp

        Download

      • memory/5000-135-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/5000-133-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download