Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:59

General

  • Target

    669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe

  • Size

    1.3MB

  • MD5

    574df1baeb8a3c0772c09ada7c0a72e9

  • SHA1

    081ffa1c06a5161e7613af8d304f5fb4f801bd6d

  • SHA256

    669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87

  • SHA512

    71494890b1b616f25c3f6809711b52f224fb1612c775a7e8d23250afacef54e77a2a808bbbc14998c08b9eded0d2743bc91d5fee5dd59c54e76815819161f584

  • SSDEEP

    24576:G5CF5e45qsC8kSxj4vR7I12obD+yaN1UYn29gFJTa4tui6vUrfb3dSNr7wQ:hFDtCUa1gGN1Un4TfbtSZ9

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe
    "C:\Users\Admin\AppData\Local\Temp\669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.51ztzj.com/win7/index.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d6ab1c7c42daf4e5365456926ccbf9ab

    SHA1

    0c018cfa6032f80e1a8750080313927186453a4d

    SHA256

    5f5ca2ca221093158701dbc339c7d25be3817aa8b6d75ab7ab530a27b3890413

    SHA512

    5a61ae25e6eeacf7920f6624a3660189cbb1498d55fab97a0b9406727448e9a4956c91e3080aaa5f14680204e83768b75d7ac35ea0863024a1129b5ce64350f1

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

    Filesize

    13KB

    MD5

    620959cfde43903f8f5afce997bd009c

    SHA1

    c2c2862873ddcbc8619592d4636bed1ea11def6c

    SHA256

    9a1d226cd016f5d36ad26c6aa424178c0e486c9a762da89cfe64942e76e743eb

    SHA512

    33cc30cddedf85fc71550d50134011bb9e8fe6bb40df41046bcec728c33e72e5102da982cd010c9f8d5c4b83c8747f4d868ddd68fca895ac12ac710da46ffdc7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WYTY2R3A.txt

    Filesize

    603B

    MD5

    4fb6d6b46af784947a050e09833232a6

    SHA1

    128027fc6d4f01e050d50e94a932759448c42adc

    SHA256

    c3a7387b290d1eb7805162186f5bea1ce774dbcc1d4188e023566f63c5002f07

    SHA512

    de86b67db2f943763010513c15bf2ed90bb3eac5eeabd7b009c946b87c4d7cf1ee114022d9d806e33da6f5e9b4446b4cef8b36bec3a470132e840d80d546ca77

  • \Users\Admin\AppData\Local\Temp\nsd2280.tmp\Splash.dll

    Filesize

    4KB

    MD5

    ff8340b98dbd0c4f38d06627b97637a4

    SHA1

    aae736a26fbb1ed5e9fddd956115699a910b3435

    SHA256

    6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

    SHA512

    58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

  • memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB