Overview

overview

10

Static

static

eb550e46d5...97.exe

windows7-x64

10

eb550e46d5...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897.exe

  • Size

    1.3MB

  • MD5

    2e799370d6508d56074d6b313526fe27

  • SHA1

    87593d6b340105f1cdfb580d52b943345b82c8b3

  • SHA256

    eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897

  • SHA512

    2dda7088754666d353f7618a29587f6f5da34119477b207cdcba940d9c4c4cb7c649584a4d13a8793c511c52aa74ba79f4168f69b43cc24cf20d3faa6975c580

  • SSDEEP

    1536:kls8qrbQYURPAYmYf1F92m214L5d5TQTH9F+UTQ2nxvQYKV6yZPcAnouy8:vwPAq1F92Z4L5ETH9EPo4YK1pcoout

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897.exe
    "C:\Users\Admin\AppData\Local\Temp\eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Windows security modification
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4308
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:348
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4880 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    2
    T1031

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    11
    T1112

    Hidden Files and Directories

    2
    T1158

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      38a9ee40b61155284982e2fa94ecabb8

      SHA1

      48847436aebb7737c0ffb7a1c7890b97277372ec

      SHA256

      39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

      SHA512

      1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      e32d02ce684c01ef3af05fae9066160e

      SHA1

      29c7a6e8ed553ac2765634265d1db041d6d422ec

      SHA256

      b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

      SHA512

      e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      23c896e3fc14b0352780bf8710ebd27a

      SHA1

      f80cbc14c2447f02c067cc2c126e105b552d472b

      SHA256

      df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

      SHA512

      230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
      Filesize

      472B

      MD5

      176c5bdeeb799ec212e8b21126aa58d5

      SHA1

      02c76719828821643ec84cfe61ecb4499838021c

      SHA256

      eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

      SHA512

      a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      2c40ca2245596f4e80cfd7aaad5c1804

      SHA1

      e2c1e58a5702997462f8f08abd74420739bcc4df

      SHA256

      6439803add6b4bf02268e5356a88f861480f5d917437399e1ac061ed1c226894

      SHA512

      52436cb41bc9749bab8ccab30adb35b7065080440c2e313aba0f7f9c24a3e3090a2ce593b7b9ec30010277487281af907c8fde4ce6476257f87b6a0a4227fa48

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      957a435f2d9562f2b00066534555563a

      SHA1

      10e5ea61b128768799cef618066d798d108ef913

      SHA256

      557c9b8818061deb764e6cacf7bea495928f7953904d6bd7f54b4fccf930e66a

      SHA512

      3f9bcfaffe028982d39071a424b98e97ab7055432c5a945bc841a85169a60b4c74aa2992f4a3f0595255a57a7a2bf9687129af7db6608d87903ec6f7c1323c4a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      92075662449b8359b5659ab2c90e5ade

      SHA1

      a957fbeb6d22c9c3eacaab8da7fe695966d322a8

      SHA256

      2c3b65395c5df15a8b7b848e93a8d6321f2d0144c8f8ea372e496f2e5b288bf8

      SHA512

      d1ddb9e9ef11248c7fe1e4dddadc84f9757c31bd77714b48eaf2c91932eb559fbadd3077fa966ec4017f989756172091590606611141e3a7ddf7c178306e384b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
      Filesize

      480B

      MD5

      42434b6ce75150d6065a5a610200c89d

      SHA1

      87e1a6b7aeca28aba8872efacbbb50e9380f4067

      SHA256

      17f2b6c7667717864fd30321305f45d08974fe1cb7d3e5ab1086863d508a4842

      SHA512

      9c5dfee0304b62c8f818c1ce1f687f80292d1bf9fcda6ac74bb9b7922f996441deb3eff9de2d8f525b2d9ad4d506927e73e78b445027aac27aa15d4adbdf2897

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.3MB

      MD5

      2e799370d6508d56074d6b313526fe27

      SHA1

      87593d6b340105f1cdfb580d52b943345b82c8b3

      SHA256

      eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897

      SHA512

      2dda7088754666d353f7618a29587f6f5da34119477b207cdcba940d9c4c4cb7c649584a4d13a8793c511c52aa74ba79f4168f69b43cc24cf20d3faa6975c580

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.3MB

      MD5

      2e799370d6508d56074d6b313526fe27

      SHA1

      87593d6b340105f1cdfb580d52b943345b82c8b3

      SHA256

      eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897

      SHA512

      2dda7088754666d353f7618a29587f6f5da34119477b207cdcba940d9c4c4cb7c649584a4d13a8793c511c52aa74ba79f4168f69b43cc24cf20d3faa6975c580

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.3MB

      MD5

      2e799370d6508d56074d6b313526fe27

      SHA1

      87593d6b340105f1cdfb580d52b943345b82c8b3

      SHA256

      eb550e46d5e2edb94eec12497a644012de9114e102d64192facab8709b696897

      SHA512

      2dda7088754666d353f7618a29587f6f5da34119477b207cdcba940d9c4c4cb7c649584a4d13a8793c511c52aa74ba79f4168f69b43cc24cf20d3faa6975c580

      Download Submit
    • memory/2784-140-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2784-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4308-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4308-150-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4308-149-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4308-146-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4308-145-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4308-142-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4404-134-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download