Overview

overview

8

Static

static

69f52a8bdb...91.exe

windows7-x64

8

69f52a8bdb...91.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    286s
  • max time network
    342s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe

  • Size

    65KB

  • MD5

    571d52bc7401a718028fec84451e2070

  • SHA1

    51a6c0402cfded7892d1c44be87fb73f708219f9

  • SHA256

    69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91

  • SHA512

    22d5700d523c49340e79efe7a7d74399742aa3bee1d613857ebf54b97f9bb361785723ef809aca469c58891f58b44405fdea9f8f06fcf251aadfbed31162536d

  • SSDEEP

    768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7FMAnXMcMaJIWmS2zIzV9xJv:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJY

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops autorun.inf file 1 TTPs 24 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
    "C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1080
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:3084
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AE 0124 BE.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • C:\Windows\AE 0124 BE.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • C:\Windows\AE 0124 BE.gif
    Filesize

    131KB

    MD5

    aba386a2e82a1ae3a117c413bd7f1f79

    SHA1

    ce24ec2e15413e0a7d20288c36f5669517f703fb

    SHA256

    1731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992

    SHA512

    c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e

    Download Submit
  • C:\Windows\AE 0124 BE.gif
    Filesize

    131KB

    MD5

    aba386a2e82a1ae3a117c413bd7f1f79

    SHA1

    ce24ec2e15413e0a7d20288c36f5669517f703fb

    SHA256

    1731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992

    SHA512

    c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e

    Download Submit
  • C:\Windows\Msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\Msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\SysWOW64\drivers\MSVBVM60.DLL
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\SysWOW64\drivers\Msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\SysWOW64\drivers\Msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit
  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    130KB

    MD5

    9b358d4e86d16078d891d9721f886975

    SHA1

    844830757c807f2f1cab7dc5effa754b18f7699c

    SHA256

    077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

    SHA512

    fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

    Download Submit
  • \??\c:\B1uv3nth3x1.diz
    Filesize

    21B

    MD5

    9cceaa243c5d161e1ce41c7dad1903dd

    SHA1

    e3da72675df53fffa781d4377d1d62116eafb35b

    SHA256

    814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

    SHA512

    af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

    Download Submit
  • \??\c:\B1uv3nth3x1.diz
    Filesize

    21B

    MD5

    9cceaa243c5d161e1ce41c7dad1903dd

    SHA1

    e3da72675df53fffa781d4377d1d62116eafb35b

    SHA256

    814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

    SHA512

    af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

    Download Submit
  • memory/1764-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3084-150-0x0000000000000000-mapping.dmp
    Download
  • memory/4420-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4844-146-0x0000000000000000-mapping.dmp
    Download