Overview

overview

10

Static

static

8

162b668410...40.exe

windows7-x64

10

162b668410...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    255s
  • max time network
    363s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540.exe

  • Size

    766KB

  • MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

  • SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

  • SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

  • SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

  • SSDEEP

    3072:/PigQTYHrQbQ+cVEwTMZpgITj+uAdS58UVMwout:/PigQowoS

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540.exe
    "C:\Users\Admin\AppData\Local\Temp\162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:560
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:824 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    38a9ee40b61155284982e2fa94ecabb8

    SHA1

    48847436aebb7737c0ffb7a1c7890b97277372ec

    SHA256

    39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

    SHA512

    1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
    Filesize

    7KB

    MD5

    f739b394d30d392d8eb28922bf5a7e12

    SHA1

    78124ad341a0e03ecbb7660011409767e6678fef

    SHA256

    4fff638b8a8f8004eb7a6f5d71ba702373ece50bbe85f499d00d09e7c86dc543

    SHA512

    48cf40407485d1a22f728220a64dc15e85cf051a44104019efa868cc7fccdefcfea2169eea8fb72be819a8c67892aeee72fd22deca31b8bfbd3f8018e55e215f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    23c896e3fc14b0352780bf8710ebd27a

    SHA1

    f80cbc14c2447f02c067cc2c126e105b552d472b

    SHA256

    df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

    SHA512

    230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    3d7c8ca9351077fd00fbf1cdecae78be

    SHA1

    90546bb8781381e890a0836efd80c241bebd4082

    SHA256

    6fddd60820137c4646b123ef1d0bbcbe788b3dad083455ca04221c83b77c1b11

    SHA512

    582910e209d627e14effc5e8fe1de82769797c220e16e422888cec277f463af94643ccece85c2cd90c61bd4f704909126f9b8ae2b841ae7d25f8e57b8787abf3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
    Filesize

    232B

    MD5

    d089a2445d717dfeb2dd53b59e20741f

    SHA1

    f0b83d472a166efccd9dc2193e7412d4dfa613a2

    SHA256

    f7fc2320ef0e9902e20cc8efd121d8a4e35924056963157d637becef80e6b843

    SHA512

    cc6adf6ca7637ba29f435d0cfe2fdd0225e97a344f8e18eb3b99f56e61c84956f79091c5af5caa42f7f75c5728607b0311f3d00e3f5077609deaf74857c69d19

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f2093902e2356953004d656b5c7f9471

    SHA1

    f963f8e739575462005b66711be70697e8fe8079

    SHA256

    77f144a67a3a6d1e046465943ced1e671b2311878a95dd165f6921fcc937d2f4

    SHA512

    30e1370b0ec2de72b2ac3541758da8fea465b1196214d0a928584e316542f95d4e112edc3944118e626f4e31d4574bce9fc6971c79ac6778de6a5284997213bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    222f87adfdbaf1256d07cf1a31ff0f08

    SHA1

    e0ab79cc8e20c18afd906db9cb179bb4ac1a0fbf

    SHA256

    4e187b111d630d8d84004d36687c882bd78cba7b8a041c86419a09fd2d0798d8

    SHA512

    434984b68b3c7f2a16082b3c30e77f6bfe080fc0d4e7ee42a40c1979825a2d903da609918edc0c51c0ab8ec18be48308d3c61c317dbd5b5a24397d3ac7e0ddf3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b2298df584414b229db034e9bc268c52

    SHA1

    28f3209f1e5a3312daf1efbcc1d3331e9c83a957

    SHA256

    feeae51230b4101402e59f85bd9f010a6f1914d351c10aabb2a835d75726645e

    SHA512

    9a5623c0cbfc5075c86bd1f912402ab87d0bd7d659b92419e69c64e129e6ecc6bdd9f6e948edbfd064197e0b290943f606d353034180a95c4e53aa5fab08bd9f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3575d869be998dba01c64bbb353f25b2

    SHA1

    208cab288cd55b3942a9e0a483efd72581d8690f

    SHA256

    48660bdaf72683f2308eefcb2794caf027c503bdc9f1578dc6dfa94b60ee4f27

    SHA512

    c82729f4533c60f7c7a8b467c36f791221f3c1e2671c9a6c11bd37a43b92d825b1db424e552ecf586febe2f02c0de165280a87792d84453d67aff74fe1f685c2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    fb4d63120a98e816036ed8954a62e649

    SHA1

    91caa74ecfde244400a5e414a8ed04429b1e78fa

    SHA256

    7a46564fadc6249f90a91bb677e5b0414181de55af3a8fc23bf67c13679ac4ef

    SHA512

    ca61baeba26f516de517707b2e4e3973f46488bb01790df37f9c1b21915c5c723a708ef8285cde36e642fcc36a71ef58eb3c4db962c65193b120f6df61729842

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    d1b99239789cffb6a36e1e36e0683b72

    SHA1

    35915a518bb096fc25f13c98d23729c5a914ce2c

    SHA256

    3f11deea96717d69aa60d07bf590e0eb0674a5b95249b540845e4228df3e20a3

    SHA512

    956c6ae413cf426ef82f9c0d5ab8af2c39d19706e1efc88e2f20e57e2c0b98d2a86bf0caeab59bb8bdc28210c908f9a0e7bbdf6420a79d75e8280b898655187c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KLJLIU9P.txt
    Filesize

    97B

    MD5

    b2e151e2f2f5ff9f436d1a216f0865ab

    SHA1

    f5de7f5defd477f912e855798f6193e8455fe43a

    SHA256

    0256b17c7d6860e96b8478db02350eeaac88dacc31608635e6fdb9c5c512032b

    SHA512

    07bc8551c287c4dae09655ed5d72ed9142a11808d28b7884f1e69f4d198719c86d931ec53683f7e5c8a1d382c870ef6d671e51f8eba194892e11ec80beb5b6e5

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    766KB

    MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

    SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

    SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

    SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    766KB

    MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

    SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

    SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

    SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    766KB

    MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

    SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

    SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

    SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    766KB

    MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

    SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

    SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

    SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    766KB

    MD5

    3d13cccbaf8188cbd9fe73d335a57cb9

    SHA1

    ead58a588c5e050afc2a911008c12fe8f6806aa4

    SHA256

    162b668410a7ea7a257f146c2867f3a98e2a7b9a0e63c8641b6c1d745113d540

    SHA512

    be1b1412aa83f49f92d86f027941f4023d2470eb194e31b00a78273e132e69bfb250bb2bb3de8ed71ed54108065c23fb0165afe450beb614a69ba6afc707ad79

    Download Submit

  • memory/268-66-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/268-64-0x00000000024F0000-0x0000000002537000-memory.dmp

    Filesize

    284KB

    Download

  • memory/268-56-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/268-59-0x00000000024F0000-0x0000000002537000-memory.dmp

    Filesize

    284KB

    Download

  • memory/268-57-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/560-76-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/560-75-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/560-88-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/560-89-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/560-71-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/560-72-0x000000000043C580-mapping.dmp

    Download

  • memory/1448-69-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1448-65-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1448-61-0x0000000000000000-mapping.dmp

    Download