Overview

overview

10

Static

static

cb01a06e06...4e.exe

windows7-x64

10

cb01a06e06...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    226s
  • max time network
    316s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e.exe

  • Size

    106KB

  • MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

  • SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

  • SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

  • SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

  • SSDEEP

    3072:lvrgj+PhRe3skijnAB6Icxj68oWdbgyvRcSvUvRKoutQ7NUyz67M:lvsjAg3skiz265xj6nmbgy5TARKoS6TJ

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e.exe
    "C:\Users\Admin\AppData\Local\Temp\cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Users\Admin\E696D64614\winlogon.exe
        Error 448
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1956
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

13
T1112

Hidden Files and Directories

2
T1158

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    38a9ee40b61155284982e2fa94ecabb8

    SHA1

    48847436aebb7737c0ffb7a1c7890b97277372ec

    SHA256

    39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

    SHA512

    1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    23c896e3fc14b0352780bf8710ebd27a

    SHA1

    f80cbc14c2447f02c067cc2c126e105b552d472b

    SHA256

    df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

    SHA512

    230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    f82a4e57edf89aff9ecaa7660f89ee36

    SHA1

    bbeba436e898a42acc905913e793aa919d011a02

    SHA256

    96caffb258d20db705ff33935448f04cd96cc1b9402a4542d9d5f5221189c945

    SHA512

    e35114206d5f615de82a2642160451dcc3029c911791422ac90236e7421edf85f7c14d627fc836a8f70ff85ed40c86d0f67b6e17dd207104c77a0ba6097e7f74

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e342b7bbe4958aad4922939ff05390fd

    SHA1

    132211039d7f3d092fc87037f2986931e0d97777

    SHA256

    9c8d2fbc2271039d56539609345835fb5e3728e80816305dd0b88aceee218a94

    SHA512

    1da937cb623d839bee19b351681e7f04c3f6014459b7d58e77086856ffa8fb2e880a90411495e10cddb4f3eb67ee53acdc08504e4b7e984c0a80f1c53aec0ebc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    821ebe6bd754324fff22e4f887157d54

    SHA1

    6ba3e23ca09181271deee9e4c444d2b2920e12a9

    SHA256

    0dca320a11bd7eba401de64634f7e61859aa053b3feb65ebeaf0f63623c35001

    SHA512

    af5623d32221187236619383aae84bdaa4dbb942268618778b6bd056f74856aa56008266ed80ce011e863b47c22cf725f034d9a3ad3ef11b9dad8cdd2198dce8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    3255a6df86b450e8f71295dd76cdab5f

    SHA1

    acb7cd1fb0457c00038c55756cdd1d99373d194c

    SHA256

    010840a1c92f5ab21b9b120123d2f5642db722ce41a0bb6d7d0fbd39e1f00e5f

    SHA512

    388d24f9eabbf0ad52792e46acec7e63383ef73d3738eff22663b3476b54288448ef047e0b66e5c22ee63a31a88274c9795998d953ca317756036c7b5881ec12

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    46a141c28708b08b91c02fe81ec56e9b

    SHA1

    a3c2c0436d66a993c76532de7c370f33fd547672

    SHA256

    ae632757b8e091631d311fad28637061ee79f6d8a3514976d8cca3a4d07ffad0

    SHA512

    e8deb19d2284c176e52df53ec0aba20260c22c1f2b5e405836716a8d9a2c90f81e8b18d8911a6fe8db228cefb276617996ff049b7316753ec9e4dcc688d11c5c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LWG5PMWY.txt
    Filesize

    97B

    MD5

    bfe74e1b1f35526c4429d2926fcdb672

    SHA1

    97660c99dcfbc818595ce0177e17b88b24df49eb

    SHA256

    4409a4b359dd63bfc43f0a4951c2d6286fda041f7c03171a142a0213a5259168

    SHA512

    c369ba4243dfc7a758fb5657471ffa866cd066cc7bc26ea149f13e44038e2001051f595e91bd5f1c446f9b176740f89b4778c0aaeabf595f9289e51d55990dc2

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    106KB

    MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

    SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

    SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

    SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    106KB

    MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

    SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

    SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

    SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    106KB

    MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

    SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

    SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

    SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

    Download Submit
  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    106KB

    MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

    SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

    SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

    SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

    Download Submit
  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    106KB

    MD5

    0256b9114ceef0d6d26dc0c2c670e2c1

    SHA1

    0fedcec54e731ae0d1d0bb35206de668bbf4381e

    SHA256

    cb01a06e06cb40d5a3da85462415df9a03d8682524e16a1ac361aaa0883f734e

    SHA512

    eac638db6fc6a44706866e7fab2c9d4b76b9714bda420d1698a94e91abc4f898f6d8cb5c22d292a17dd162dc8e9b4cc2bd3248ca747bbddb71a7446650887bf9

    Download Submit
  • memory/268-63-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/268-54-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/268-58-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/268-55-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/588-68-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/588-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-79-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1956-74-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1956-69-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1956-73-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1956-70-0x000000000043C500-mapping.dmp
    Download
  • memory/1956-87-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download