Overview

overview

8

Static

static

7037426109...77.exe

windows7-x64

8

7037426109...77.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    168s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe

  • Size

    1.2MB

  • MD5

    956972e02044d5255ba631548fab1415

  • SHA1

    589ba5d773b4eb338f62e5839838f4f15cae5255

  • SHA256

    7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

  • SHA512

    5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

  • SSDEEP

    12288:8GKvjzGASyZ6OENzf8s+y0EMc/4mxooBxXXlDKGKvjzGASyZ6OENzf8s+y0EMc/8:NJZTJZe

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
    "C:\Users\Admin\AppData\Local\Temp\7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im TTraveler.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Icon_1.ico
      2⤵
        PID:324
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe"
        2⤵
        • Executes dropped EXE
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im TTraveler.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1172
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1832
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2ec
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Icon_1.ico
      Filesize

      24B

      MD5

      fc8c30c440f338815f5fa813392a7e5d

      SHA1

      5bfebf7d4e4e59b88bbc3674169910350a718962

      SHA256

      d4d3be8ecf145f4e02d8e6f1f7b72688ee11ccc6d5bd626e1fe61e5a71c0e20a

      SHA512

      5db8657478b664066f0870623fffe9f0640bd7aeddf552695b3de506c86b8fc03e069a5334ba16dbaceff8dc74b9508c113f372f510fb4be9f1333f98e6f5b30

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
      Filesize

      1.2MB

      MD5

      956972e02044d5255ba631548fab1415

      SHA1

      589ba5d773b4eb338f62e5839838f4f15cae5255

      SHA256

      7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

      SHA512

      5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
      Filesize

      1.2MB

      MD5

      956972e02044d5255ba631548fab1415

      SHA1

      589ba5d773b4eb338f62e5839838f4f15cae5255

      SHA256

      7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

      SHA512

      5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
      Filesize

      1.2MB

      MD5

      956972e02044d5255ba631548fab1415

      SHA1

      589ba5d773b4eb338f62e5839838f4f15cae5255

      SHA256

      7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

      SHA512

      5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
      Filesize

      1.2MB

      MD5

      956972e02044d5255ba631548fab1415

      SHA1

      589ba5d773b4eb338f62e5839838f4f15cae5255

      SHA256

      7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

      SHA512

      5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

      Download Submit

    • memory/324-58-0x0000000000000000-mapping.dmp

      Download

    • memory/844-56-0x0000000075011000-0x0000000075013000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1172-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1484-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1484-70-0x00000000043D1000-0x000000000527D000-memory.dmp

      Filesize

      14.7MB

      Download

    • memory/1912-57-0x0000000000000000-mapping.dmp

      Download