Overview

overview

10

Static

static

6f83b817a7...d9.exe

windows7-x64

8

6f83b817a7...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe

  • Size

    361KB

  • MD5

    528d5072eb08c4cc86e0d39da96f42a0

  • SHA1

    ffd2bb8a4bc6ba31ca2c08fc325f37cc853bb80c

  • SHA256

    6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9

  • SHA512

    1e8a6bec2ffeaf50d835fa324e4529cf6c64e84de38658a19860aa9c418a38683d211e118dc47027b8ef00698bf12f415a45369d3af41dbcaa6a44097e3f4a2a

  • SSDEEP

    6144:VflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:VflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
    "C:\Users\Admin\AppData\Local\Temp\6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Temp\esrnjfeawkgfbxtp.exe
      C:\Temp\esrnjfeawkgfbxtp.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\ajtdmwyirb.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1112
        • C:\Temp\ajtdmwyirb.exe
          C:\Temp\ajtdmwyirb.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1000
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:920
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1624
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\i_ajtdmwyirb.exe ups_ins
        3⤵
        • Executes dropped EXE
        PID:1052
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • C:\Temp\ajtdmwyirb.exe
    Filesize

    361KB

    MD5

    f7ef58c92d72d3edc51423cfe63ac814

    SHA1

    6c1844c7569f4409f877912c3942d314ec02f829

    SHA256

    d9ff2fb38b50d6fb9cc5853264285a624858173374da13663b9289f2cf485351

    SHA512

    548e3b9694f188bfa1312c602bd010aab79a5df14e00368d6b1a1c1f83770b28b3b4671ee21fafa9d0960b5139431426851ceff4a39fd773b0c1f73c2cd59d8b

    Download Submit
  • C:\Temp\esrnjfeawkgfbxtp.exe
    Filesize

    361KB

    MD5

    c81c094c835c535207e64883ed4112ba

    SHA1

    ea441dd2f50c12dca3019c3eaa8359b460e902b3

    SHA256

    5de36e8a1aeea14cdeda3facaf650f1fd145416dd0bae61f1d545ea202858990

    SHA512

    d1f1e10b3d54e1a5306dc7d75a18788759041f409ef6a0bf7122e07fbc0952b0079884ce16d3629b6f9c763be90caf06420489ff0c58f3716bc0d2cbeb8788df

    Download Submit
  • C:\Temp\esrnjfeawkgfbxtp.exe
    Filesize

    361KB

    MD5

    c81c094c835c535207e64883ed4112ba

    SHA1

    ea441dd2f50c12dca3019c3eaa8359b460e902b3

    SHA256

    5de36e8a1aeea14cdeda3facaf650f1fd145416dd0bae61f1d545ea202858990

    SHA512

    d1f1e10b3d54e1a5306dc7d75a18788759041f409ef6a0bf7122e07fbc0952b0079884ce16d3629b6f9c763be90caf06420489ff0c58f3716bc0d2cbeb8788df

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YG7SIC23.txt
    Filesize

    608B

    MD5

    902642182f5583cd1acf6fccdd60794a

    SHA1

    20d0b17040ae24881c42005e874c7b6f3445f0ad

    SHA256

    67318f33f824160418778dff9d50f229b674f3af7bea2de000f9a119ac4ef0eb

    SHA512

    d9bc4c7739786ca0d54745f5bbf5bd9a8e4773c770460dd69578c213704b6fcaaedde5c66902c52f6a50902122e0f0fd532551461388b516ac0867c897a32d7e

    Download Submit
  • C:\temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8b16835040a24ce71ac1c5ccfd625c56

    SHA1

    43b7839e1603ef9a2bf70aea2a912b9ac8f56104

    SHA256

    1841f81325d7feede3794a4fd35fb65e9093b568cc0cafd6c3d1f7daf55fd717

    SHA512

    41683c70ccc2f20c8011b30479fb41eb517e81f26b705ec51cfe6e7f8bad35144be757b9fa90d0ff3608008d6ed369978a9d295e6a3932f2d29c7d219dab1183

    Download Submit
  • \Temp\esrnjfeawkgfbxtp.exe
    Filesize

    361KB

    MD5

    c81c094c835c535207e64883ed4112ba

    SHA1

    ea441dd2f50c12dca3019c3eaa8359b460e902b3

    SHA256

    5de36e8a1aeea14cdeda3facaf650f1fd145416dd0bae61f1d545ea202858990

    SHA512

    d1f1e10b3d54e1a5306dc7d75a18788759041f409ef6a0bf7122e07fbc0952b0079884ce16d3629b6f9c763be90caf06420489ff0c58f3716bc0d2cbeb8788df

    Download Submit
  • memory/920-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1112-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1428-55-0x0000000000000000-mapping.dmp
    Download