Overview

overview

8

Static

static

1

eece7f819c...b0.exe

windows7-x64

8

eece7f819c...b0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eece7f819c5fdac04e65f31a3269f64721e4662eb2646cea10e287330dcd9bb0.exe

  • Size

    349KB

  • MD5

    1cd062e801e62d40d9664ce0cc651ce9

  • SHA1

    2c69e0b95127a78184ad65c000054504fe6ba763

  • SHA256

    eece7f819c5fdac04e65f31a3269f64721e4662eb2646cea10e287330dcd9bb0

  • SHA512

    5d57fdc800c7ddff8f839e6b359d933f68f566f57124502ecf86c6e3fb26b764dc66acce223a0244c65d86e545e2c84942de86ae6b48ec86166ae177bf1bfdc9

  • SSDEEP

    6144:ye34o0nu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+FPfL:VEJXs1q2N1906jidGUZLcb+FPfL

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eece7f819c5fdac04e65f31a3269f64721e4662eb2646cea10e287330dcd9bb0.exe
    "C:\Users\Admin\AppData\Local\Temp\eece7f819c5fdac04e65f31a3269f64721e4662eb2646cea10e287330dcd9bb0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk14.icw"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk14.icw"
        3⤵
          PID:5052
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3476
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4596
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4840 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2804

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\EditPlus\kk14.icw
        Filesize

        132B

        MD5

        09c1c8d122a078047374e40672f7c912

        SHA1

        d07354a21ccbf6b088f02fb46dcd65640751b48a

        SHA256

        aef3c432e15d7d0fca224254765e050e6060711ee9a529dae6ea0ef651147186

        SHA512

        71d506bf41272ffece1ae23dd28bba3d31cf7343574bd25aab905b9691185535c4a47fad3a036eef2985228e1342eb2d83e1f6911c9b75567bbafc03213e5833

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nso6979.tmp\System.dll
        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nso6979.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nso6979.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk14.icw
        Filesize

        843B

        MD5

        92d0b18bf5390daa47e3602147bdaf9f

        SHA1

        395108c8de7d44e2a4cb5a94472116a5305fce08

        SHA256

        09ed7c0e63b3f7ebe97f4a11762360fc2af04c0108ad96706811ee6a3a41506c

        SHA512

        211e45310832df0ccc8cc46bfd7ba764a926d6bc1d230fc6438d1c54a78b875852a84a594455a72be28888c6652dcb243ef96706ec59ac2d265471847ec4457b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        fe94d150b5af09fc4d83879bd078addd

        SHA1

        bcae33512fda9fbeceaecd18f13636681d2ce11c

        SHA256

        c573b9d439b55159540ef708f76f65b740ce0fd349e5b10af9ca78fecfbfc0d2

        SHA512

        28668c5933425a91cebf7b3f2c934f3d4dd950d47ab472e0456fa1340e19af6ae0048bb7eeaea205517139af7539f20917c998f97cc4de359de3e0748ac9e641

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        fe94d150b5af09fc4d83879bd078addd

        SHA1

        bcae33512fda9fbeceaecd18f13636681d2ce11c

        SHA256

        c573b9d439b55159540ef708f76f65b740ce0fd349e5b10af9ca78fecfbfc0d2

        SHA512

        28668c5933425a91cebf7b3f2c934f3d4dd950d47ab472e0456fa1340e19af6ae0048bb7eeaea205517139af7539f20917c998f97cc4de359de3e0748ac9e641

        Download Submit

      • memory/3476-139-0x0000000000000000-mapping.dmp

        Download

      • memory/3692-135-0x0000000000000000-mapping.dmp

        Download

      • memory/5052-138-0x0000000000000000-mapping.dmp

        Download