Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 19:03
General
-
Target
6723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d.exe
-
Size
855KB
-
MD5
44096bae1ae755f2165f19b3dbf20870
-
SHA1
c8ab70294abdc918d69ad049db03d1ca1be7b14c
-
SHA256
6723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
-
SHA512
3fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
SSDEEP
1536:ehqF+u1LAn+5eHByhdNMcmTcHEnStBFwYAuPzJU3LZlYbr5A/zdHnAkUEocqgvJM:xvm4VMcmYAYjPzcfYf5Ard2EorYDk+W
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 15 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 50 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d.exe"C:\Users\Admin\AppData\Local\Temp\6723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:668683 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5f2d89c85e212ef130eac6d92aa534b39
SHA11291a316628bb3582421a4af7ad700141c9f15fd
SHA2564430efe85d4c1c214ec8e4d5cdf0b3b8e39195a3e037b334fdcb93915253cb1f
SHA512d80608f2fb32d30cac39b853f00bea61d5aadf9eb5fb607e41820f5782986d6a5e2151c38235342a3128649938edf91c4f27e3d5c355ed961c9ad314c762b335
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
472B
MD5ae7674294f5a17ef8761b33ac4dad848
SHA130a771e623dd1e3cb8694bb5f71393aaa9e87b6a
SHA256cac85ed50ce25c45d5093aaaa231a0d1cd9667f47bd2312947070ba202c5d96b
SHA512ab4a0adbe606ac6b1b8c87fb24fa23c7fdd23fbdcfb616f24fe1269dd4d409c45d7b64cdf65b08caa13e88b4461b29d2bded7e197120a7f65a525c2c5e905a5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
1KB
MD57055fbc792b81e2fcdb72da9d3e6ad81
SHA1dec614359d5d9e76c20aadd3d467037e6a9665ff
SHA2560eb7311d9c9d181942fd9c9ff0217a360ae91829d0dd6df95a8247625eccae34
SHA512b1a94b289211cba78d11888c30d2e6b16fb21fc21476c69e8c9ae618f169ca02f6ddaeac72e1e8bce3a0ea9f4bfbd4e47005703963b6cdf46773d27c34e16f5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
1KB
MD5ad6d84486c3194ab2f71ef94912fdddc
SHA189aeb9ea77a27510b11762db5acef5654b62ea4b
SHA256437fe72dd5a616c3db9a8e0c4823731abdd627641879ed511e9cf86994492789
SHA5120e37e80588d96a6fb9fe34c0d34d688bb64f3540185fa9e2cb1ed0504229003f3bc31be717a390d3acc668bbfb7a1645cc52bb9e4235afc85a23653ead8ad09a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5db0bd4ca3b3fc4a2d58c63e48c555318
SHA1dbba31e7d8db19359877109b9fcfe0a0fd0550a7
SHA256a4b7d1c37d70782eb5589b29056554f0175e39d129f21ab3fe93a6db323e3cd2
SHA512deba1b892257901cc2a528f8c1099858c3c550672fce859dabcaf6a645eaf57228e01be94da7ddfef8e71369243a41d55d76ba8a09aaf514af1b6ab1572b77f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
402B
MD5f927d4f09198156dcf9fa950229a566b
SHA17dfe2013a968c91eb5f94e1cf89607c929998e92
SHA2567483743ce6f3e06c1794a0e78e23a686d2fdc9ecf46227374555fb4ae19a988d
SHA51247835d1f79eb67ea4f512808e542fc0fb508014c61f1e6d92f522f76c3aabab0925235e1f72613c48646908811f896e6a1e0c6678126d72f62661ba2d13214a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
466B
MD58bff803dd432f670c00898509b506240
SHA130e017f4a69dab49793731c6fd726f17d4109af4
SHA25618e24d25b0c2154a9b4ca8fa6d7142f9a9bb72245a3487fbfd68228c10193d8f
SHA5125bc5867896b8c5bf83dcaac33d50b82249aec655210e6cd10bae6c89b10fc3108ad28e7b833ea3908de83474ebbb509a42000b1c5c00cbae0cc218279f614a65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ac19d023d0e0f5a2ba9fe3793a1c69ed
SHA15ebe13a730235667af6d294f778b19fec55f38d7
SHA2560f24addecfa7e1738657740f02af47a3ee6806a9faa4ed0befe2600accc65227
SHA51298c3522da9bdeb2b0d0935da7ec9716c2e58e3bb73b32d5c7b2b6e5b8a83384c898ad633ba61b98bc17cc6c6fa474575b82dc7327028d24fb9f15b8e3e0025e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a18aeb75bc8bb02c3a96cea67c957279
SHA164f270f2f3adea04f2b89796d9e05164d9593055
SHA256fa2465e1a2520ff9653814c107fad466b15b6c63eed0930757401033aa7dd499
SHA512a7eefb2d7f4faa0899075aacdee2fb57ef3b5a2e5dd40a02249b1834cd93e6f053984a1a4f19133e869a5b48a7eb778cd5df0cf9485672bd36e77c126220f89d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f62b8ef0447a1233583079cd6a6fe9cd
SHA104b570f5856f4480cfd3036839e1d523191bc9b2
SHA2561ac5b749c0ccd05d10be7f52d5a77fd904bc8addb13b4051bf6d51ccc64a9404
SHA5124a196686d2aeac20dec5a8ce9dd326162d442e3b0362e94ce2959f8df244ae1d7334128353c3596be9b670f6d72983ed6b3cf424fbd57509b92dedf99712d88a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5d3d9ce9cb36f5853803edd5b45b88973
SHA1699dbec5cc488e3428908f1640a54d460ec1bb31
SHA2569dde143adbdcb38d800adf2e5cdde1311e17095b8cc48e24e940c1b9b4713ce9
SHA5125776ec51f0c4353dafb6e2de425c6e326ce0e0721e50b476aff5d2d3fb1f71bbb0ae967dad389b949966f6587d10c49f6e16349d5f648f32d476b7cbf63eaf8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b02c5557f0670f411dec290db3899800
SHA1fbda0e5b73c9581ee3cafe845177ad7c306a4a9c
SHA256c18415c5540408ffa29b677afe20f8293546067a861713a861f76819e93e17a6
SHA512d042223950500842265d00015c9f4b12d81b16a0a7a698875b3fc8f82b7802d27739bfccf746f867e28a1e30b5b54cee21a1e22567b1326143737276322ebafe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
470B
MD589903b8752ecfc1687ea432fb10fd6cd
SHA1af88e218594d46b5cbe8b6eda5f6d9843fc78d09
SHA2562a0b3f572c10702f37fa766b460f301cbf60865c138c8a60f1803125d0c72af0
SHA5122710071dc03d3c9111ea0931b8a2bbda27afafd08dfb9a7c226f7172bbb9e75d276fa07b260116837e77aaf51970bf47210a4dd5efeb34831c70ce49facbb95c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD57a7a3f463b0e0395b01db0fab4f8b2dc
SHA1833d0d0d31e42f9ab7f2f79bc4a6b96999e579ce
SHA256367969352cec02286f502f27df6379a746168661260bf87970805c9afba86370
SHA5129f1d942487dfa70c1ca7376e8313284528ac4124854f155625b67c2de1fc2a9180ecb41a7dbb3e0be335fc1704f8605f82e7857524b4b6dc9b4f571665f30ee9
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\EVNK484E\www6.buscaid[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
\Users\Admin\E696D64614\winlogon.exeFilesize
855KB
MD544096bae1ae755f2165f19b3dbf20870
SHA1c8ab70294abdc918d69ad049db03d1ca1be7b14c
SHA2566723d807f4b496d9f2a85054adfb6242a15d76f9d775918497c38df52ba9af9d
SHA5123fb769387fc3419593cc8496830523af701703cc824563a2084b5f36901a4a1b717bc00e6e5f317abc39dcb7d927381108bbf41ca27fcd9b7361cf38f62d26dc
-
memory/580-69-0x0000000000000000-mapping.dmp
-
memory/608-82-0x0000000000441670-mapping.dmp
-
memory/608-89-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/608-93-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/608-111-0x0000000003F10000-0x0000000004F72000-memory.dmpFilesize
16.4MB
-
memory/608-81-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/608-86-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/688-76-0x00000000010F0000-0x000000000112B000-memory.dmpFilesize
236KB
-
memory/688-66-0x0000000000000000-mapping.dmp
-
memory/772-88-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/772-87-0x00000000010F0000-0x000000000112B000-memory.dmpFilesize
236KB
-
memory/772-72-0x000000000041AA60-mapping.dmp
-
memory/772-94-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1088-70-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1088-73-0x0000000001300000-0x000000000133B000-memory.dmpFilesize
236KB
-
memory/1088-63-0x0000000076221000-0x0000000076223000-memory.dmpFilesize
8KB
-
memory/1088-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1088-59-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1088-55-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1088-56-0x000000000041AA60-mapping.dmp
-
memory/1720-54-0x0000000000000000-mapping.dmp
-
memory/1728-58-0x0000000001300000-0x000000000133B000-memory.dmpFilesize
236KB