Overview

overview

8

Static

static

8

a7d4f029e4...2c.exe

windows7-x64

8

a7d4f029e4...2c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7d4f029e414a8958fefadc1cd0e00a4da6484c8cd67a3bf683dba155cadbe2c.exe

  • Size

    135KB

  • MD5

    48836d4ff5f60d29b797f8c3afd85a40

  • SHA1

    0c52ff91a11747137a4efd9446dc2253a70ada5d

  • SHA256

    a7d4f029e414a8958fefadc1cd0e00a4da6484c8cd67a3bf683dba155cadbe2c

  • SHA512

    a77c4011118c98bd09ca5d26c3ce40a4e7c7a07352d426002f458ec487a2a9c91c9075602d52e180a344536051f8f84540ebac763981699bc0d1bf6b7ff51496

  • SSDEEP

    3072:Cnb0qmVS1dwRWEtwAUPXE+VEUM8+UcLoq3//Gm:CbeVS1dmzwdEh8l6/Gm

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7d4f029e414a8958fefadc1cd0e00a4da6484c8cd67a3bf683dba155cadbe2c.exe
    "C:\Users\Admin\AppData\Local\Temp\a7d4f029e414a8958fefadc1cd0e00a4da6484c8cd67a3bf683dba155cadbe2c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1012
    • \??\c:\yto890.exe
      c:\yto890.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
        "C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1224
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://lovechina.bmw444.com/GoGoGo888.ashx?Mac=66:51:94:5C:A2:13&UserId=87&Bate=4.06
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://lovechina.bmw444.com/GoGoGo888.ashx?Mac=66:51:94:5C:A2:13&UserId=87&Bate=4.06
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:275457 /prefetch:2
          4⤵
          • Loads dropped DLL
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\explorer.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • C:\Program Files (x86)\Common Files\uiui8.dll
    Filesize

    17KB

    MD5

    90b1f2289c3121611de1b47a54803e38

    SHA1

    8c1a78e9e777072aa60c365feb94b4eaee93ee8a

    SHA256

    28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

    SHA512

    216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S3N8QVBU.txt
    Filesize

    608B

    MD5

    806c134d681d9e8e99b88a5affb4db81

    SHA1

    40913ffe04a0344cebc433f486fc759662471a3b

    SHA256

    a8db3ebf5aac6d7f4ad795457b1552057742002d0a2f60b477c404d2cd69bb4c

    SHA512

    dc188f642b9226dfc8880b2debe2d372abdf8685c2bd7c0012d83453c6686cf8ba348658deca3cdb958c606f3c6e62490608f29899d4bbc6540036c60c5687c4

    Download Submit

  • C:\yto890.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • \??\c:\yto890.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\explorer.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\explorer.exe
    Filesize

    78KB

    MD5

    40934488d341e06d4e86a481c95aa56a

    SHA1

    73c63beffb5b339e39c169ae7f00422a7a5705a1

    SHA256

    d89dc4399145c7c358af7c292c719675b7098b8f4b3c228106b97979613d6525

    SHA512

    c9c3cd9172070edca5eb11495e0c6fc7024e2c133d3b3c0e89e0be128a3a8f7e908c184bfc1f55499c42af9605ef7be49d6e86650e41315d36da3019f4b82985

    Download Submit

  • \Program Files (x86)\Common Files\uiui8.dll
    Filesize

    17KB

    MD5

    90b1f2289c3121611de1b47a54803e38

    SHA1

    8c1a78e9e777072aa60c365feb94b4eaee93ee8a

    SHA256

    28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

    SHA512

    216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

    Download Submit

  • \Program Files (x86)\Common Files\uiui8.dll
    Filesize

    17KB

    MD5

    90b1f2289c3121611de1b47a54803e38

    SHA1

    8c1a78e9e777072aa60c365feb94b4eaee93ee8a

    SHA256

    28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

    SHA512

    216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

    Download Submit

  • \Program Files (x86)\Common Files\uiui8.dll
    Filesize

    17KB

    MD5

    90b1f2289c3121611de1b47a54803e38

    SHA1

    8c1a78e9e777072aa60c365feb94b4eaee93ee8a

    SHA256

    28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

    SHA512

    216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

    Download Submit

  • memory/1012-65-0x0000000000430000-0x0000000000481000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1012-64-0x0000000000430000-0x0000000000481000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1224-67-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1224-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1224-74-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1364-66-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1364-69-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1364-55-0x0000000000000000-mapping.dmp

    Download