Analysis
-
max time kernel
203s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 17:10
General
-
Target
45942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035.exe
-
Size
1.4MB
-
MD5
03476ef4e964276abc2eeae64fbe1f42
-
SHA1
2edae4c944d4e6b01e4528c666be3b84498f062c
-
SHA256
45942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035
-
SHA512
42f14ac567c73ddcf4875fb9c03093ab31d60c5c1c6ce466189c9b8847f0e4c75cf51cbe9cfe775003e5beee08708669f0aec4b34e5698e89acf8ffe742565c3
-
SSDEEP
1536:kls8qrbQYURPAYmYf1F92m214L5d5TQTH9F+UTQ2nxvQYKV6yZPcAnouy8:vwPAq1F92Z4L5ETH9EPo4YK1pcoout
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 15 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 61 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035.exe"C:\Users\Admin\AppData\Local\Temp\45942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD538a9ee40b61155284982e2fa94ecabb8
SHA148847436aebb7737c0ffb7a1c7890b97277372ec
SHA25639dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5
SHA5121ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553
-
Filesize
1KB
MD523c896e3fc14b0352780bf8710ebd27a
SHA1f80cbc14c2447f02c067cc2c126e105b552d472b
SHA256df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0
SHA512230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e
-
Filesize
472B
MD5176c5bdeeb799ec212e8b21126aa58d5
SHA102c76719828821643ec84cfe61ecb4499838021c
SHA256eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842
SHA512a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed
-
Filesize
488B
MD59a112f1a83680e5a3c50d6f4bd37bba6
SHA131be3271df4304c04d109a74a6f19cbeb6ccc601
SHA2564371aabffa80a2cec52297e6df3d1928daab37932f20bc35b91f777e9c3d3f8e
SHA512c456e6320b45215108e7b33fcadd7e718d7badf45f7a4828484b61036aa4cdb0938a82e44b0b075f26ad5e1195e10759b159fb8588d4e82e1f6ba333fa457456
-
Filesize
482B
MD59c7b23c6ae7d9631c9659d9e59d313df
SHA11ef0bd83661ed7a0343846bfef497e64d5e95b93
SHA256beceba701237fe9c92c51a026f6cd1cceff70e5466f8ab796b366c1da4a8af16
SHA512c55775663655c3b973d5382b435e2e9678e42a4e2a9e7d86bb71eb737eb10eca98e29c5cb6683022406b0c0b922f880c3ffd2ffe0d6c150d035d67216ac97edb
-
Filesize
480B
MD5cd101ed35bdf480a707454e4140caead
SHA1d00d0fe1a57e4ddb219661bef929c0fccf476922
SHA256ffe2a6f6f9886728a8af9d9bffa8f966dd7921ffc3c2c8fd2f7d6d56e46fd363
SHA512e1e89c0ecc88aac0017ba51c0ec4bc14c2cdad6afc93c83e024dfa44d3c508425c7f99f6acadf7a2b5c861c0225d9f7ac914d803ef8694d49158dfde75be6304
-
Filesize
1.4MB
MD503476ef4e964276abc2eeae64fbe1f42
SHA12edae4c944d4e6b01e4528c666be3b84498f062c
SHA25645942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035
SHA51242f14ac567c73ddcf4875fb9c03093ab31d60c5c1c6ce466189c9b8847f0e4c75cf51cbe9cfe775003e5beee08708669f0aec4b34e5698e89acf8ffe742565c3
-
Filesize
1.4MB
MD503476ef4e964276abc2eeae64fbe1f42
SHA12edae4c944d4e6b01e4528c666be3b84498f062c
SHA25645942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035
SHA51242f14ac567c73ddcf4875fb9c03093ab31d60c5c1c6ce466189c9b8847f0e4c75cf51cbe9cfe775003e5beee08708669f0aec4b34e5698e89acf8ffe742565c3
-
Filesize
1.4MB
MD503476ef4e964276abc2eeae64fbe1f42
SHA12edae4c944d4e6b01e4528c666be3b84498f062c
SHA25645942352c3d9ae91ed0d3a1e6f326eb6ef31be93b31f5cdc327cb2f21e7ec035
SHA51242f14ac567c73ddcf4875fb9c03093ab31d60c5c1c6ce466189c9b8847f0e4c75cf51cbe9cfe775003e5beee08708669f0aec4b34e5698e89acf8ffe742565c3
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
-
Filesize
248KB