Overview

overview

8

Static

static

1

844ef86fca...39.exe

windows7-x64

8

844ef86fca...39.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    844ef86fca242327e10270a4c64438ce458b757e78781d5cc9363a81350fbe39.exe

  • Size

    349KB

  • MD5

    44af0d442e1941a625e63b15ad5861c5

  • SHA1

    bbc6ae0ec4f4031a14f282839cbc3cf45d514e6a

  • SHA256

    844ef86fca242327e10270a4c64438ce458b757e78781d5cc9363a81350fbe39

  • SHA512

    d9f0251dbf0abce71f4dec2af55db3dabc16868f56bb680ed523e7e51b1e174f6ea77d59a1a01adf9c4b6ea88325569d0c367ba471f0e9a671d077f1697e63c4

  • SSDEEP

    6144:ye34zV2nu/EJXAF8u1qBhGNy4909VezjiGF+nh9CUZLcb+FL79M:snEJXs1q2N1906jidGUZLcb+Fn9M

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\844ef86fca242327e10270a4c64438ce458b757e78781d5cc9363a81350fbe39.exe
    "C:\Users\Admin\AppData\Local\Temp\844ef86fca242327e10270a4c64438ce458b757e78781d5cc9363a81350fbe39.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk47.icw"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk47.icw"
        3⤵
          PID:1504
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4120
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:520
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3296

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\EditPlus\kk47.icw
        Filesize

        132B

        MD5

        a0045d3d1f4d4352c04206ea23f63abd

        SHA1

        2a9f9ba085ea46b8c85c9bd5f9268a3f7a534e0b

        SHA256

        82eeffafe4647c24262512afac5e6c9748be5b2b13fb9135a86e5e636e71877b

        SHA512

        df9270b5e2b957d8d2e0c2df9559ccc892f2ac02e3336d427fa82e36bce0e2cf2e63fba77317ecfec506fbcba334ca7ff3aed83586ed318b310f471f9452abd5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        e32d02ce684c01ef3af05fae9066160e

        SHA1

        29c7a6e8ed553ac2765634265d1db041d6d422ec

        SHA256

        b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

        SHA512

        e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        841565851672b1bfdb66eb73154df0a3

        SHA1

        e8d4bb9069981276b292be3a2de4bfcdb152630c

        SHA256

        2b7aed43f599cb3c0e5b65e678a04f50f6057af6592cb671cf3a89898b871058

        SHA512

        5239c4c66df44bfe77200e7a7c5c60f043efcfdbe0963c876a314ac17d225bbcc8606467445eea48f12fcf4679dda70eedd97de020bf0f4ef44fb60874241a5c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsjDF3A.tmp\System.dll
        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsjDF3A.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsjDF3A.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk47.icw
        Filesize

        843B

        MD5

        f23b2e81fe44439b81be01204f0eb40a

        SHA1

        628483c315620b99a7d5ae424554ad5ca1db46dc

        SHA256

        95e66434aabdf25e8a4a2934c7a4497af12ca0962b2277aa20b7b6c01d605052

        SHA512

        0955f4400fc7883d8bd593f74508043e644b3ca7506f73984aa4dbf3ad0948c31f5b66599cc788dc5694c70e4d30e0eea34f0370b5b0126910f7d4d70c9b2096

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        271d838f235c3d77964909b79e05cc3d

        SHA1

        e88316549fcbe9c4b4cec8001b63f439884974b9

        SHA256

        1919f130b200be8591051f325137fe0a976295c73f325853ca8167c7da53717e

        SHA512

        1a361ad7c4d9fe217a4fe9ae3056c09a2769941a1377cb91c414453c7cc0d54bc729fae3648c3369d619e86a2c2a2143894726fba657821dca482b8bf7a75419

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        271d838f235c3d77964909b79e05cc3d

        SHA1

        e88316549fcbe9c4b4cec8001b63f439884974b9

        SHA256

        1919f130b200be8591051f325137fe0a976295c73f325853ca8167c7da53717e

        SHA512

        1a361ad7c4d9fe217a4fe9ae3056c09a2769941a1377cb91c414453c7cc0d54bc729fae3648c3369d619e86a2c2a2143894726fba657821dca482b8bf7a75419

        Download Submit

      • memory/1504-138-0x0000000000000000-mapping.dmp

        Download

      • memory/3616-135-0x0000000000000000-mapping.dmp

        Download

      • memory/4120-139-0x0000000000000000-mapping.dmp

        Download