Overview

overview

10

Static

static

8ce52e39e0...24.exe

windows7-x64

10

8ce52e39e0...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    198s
  • max time network
    208s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224.exe

  • Size

    1.4MB

  • MD5

    25af15bc8c3672441e9464b85fa3742f

  • SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

  • SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

  • SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

  • SSDEEP

    3072:CYsgk+ruvdasTt9NHhayrHlbGAP1Qm02B545g4FuB3bBo6P6We0VyOjUout:Vr/oS

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224.exe
    "C:\Users\Admin\AppData\Local\Temp\8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1688
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    38a9ee40b61155284982e2fa94ecabb8

    SHA1

    48847436aebb7737c0ffb7a1c7890b97277372ec

    SHA256

    39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

    SHA512

    1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    23c896e3fc14b0352780bf8710ebd27a

    SHA1

    f80cbc14c2447f02c067cc2c126e105b552d472b

    SHA256

    df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

    SHA512

    230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    7036a8e3777fed5d16a9faf057deebd7

    SHA1

    a50e735b3ea88bcbf6af633b938d0756f5b91503

    SHA256

    426a6a3aa934dbe77ba6bba7964b539bfb05874be61b6c49dfbc886ad97debc8

    SHA512

    d2872634617eb2b81e31fd2a8f56e60fa47c707d8c68252174a7c3b21899b6ba72be1344e96f71d050830ea658585815d2ae54efe54c32f325b4a6d2f6f2eda0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    262145f4aad81159bd4ff400ddd7fc2a

    SHA1

    f6c8d363a5d46d08ec6bb03eb4552dddd2971ca5

    SHA256

    5def4b9044e519f680a1806a4e5f851132028d23a129571aae5204e012f5c3d5

    SHA512

    1cb4adbfb4bba0e4881e00a30d4ab6ff7bd7c275446e111af640bbca2431d5b084b2ba35245ac89afd76c9d1c7d26f8b5e3f16982797fe99eace5703bb8d78a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    07e39363dc95ef40364f882964bce2e2

    SHA1

    039ad6f8ccb26c7a54a4d7f3c59adc55b126c25b

    SHA256

    2976864bcd407801ab4edcc7c9150a38bb412614631354e92610261dd1bb7b6a

    SHA512

    5ed67764201e8b17875943aad133570fa9585905db022052eeace38aa633bb11c40dd43d4f67e271046c0dfbcbc888a472208c01a534b3eeafb992634a8031fc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4330bdf4ccdc6d93cdccfdeafd185efe

    SHA1

    4570990635a65be3430213347b59d47b5d81129c

    SHA256

    2a51585b211f674f6bed4237354093c9a3e49f72a19868b3a0169ee34bf9059c

    SHA512

    f2b26de58b9a49fcf5aadf0d6c89b161f1025d8514bb9eea44b3f19f4033fd51cbfad466c1d5e8afd9c287369a81e0259b244feaf50795b2b539c07f89625f65

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    744cf975ec33f21937a194ee9986ed7d

    SHA1

    23ad386a1613fd72c958defa24caf089545933cb

    SHA256

    f7585e2667eaa9b3a134a71e5522d66b585305bb551b2ad1cfac709332e34857

    SHA512

    ea7b6791a6bd1a15873fb68601031f9a8e7766eba4b8b02201875deeb66f6a1b38b3dd28535689e8dc0a4c063a09eb7c9a81061511a9401fe99465dced39a1f7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    af90450925f95e6e88c0328739e9c7bf

    SHA1

    4062342a2b669381d219ebf36ed8a3991f7c3b70

    SHA256

    7afb10056388a7495cf27c122040e07aa61101accd3293e087482d57d9772c9e

    SHA512

    270e6c7d9dc4eec1f3a6d433034ef11681af007a22e15f7a45b20eb5a0c48de1265d395688fdc719802db596dab79c59205868753a17ffc84f964bc71bf01d7e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    b63db287d21ea862cf1bc0c8e94e1d51

    SHA1

    8b4924968abcadbaf75584cf5060c23f8521d4c4

    SHA256

    4de6f3bf4d06ba7ffe5730e97788739cea03480e2d68916dc98cf11f54fec8d5

    SHA512

    7e7e1bba453bf14faba3758504da23a128927fa7728505a6910bc3c386b9dfdee23e82d373cff0bd24ebe16df3a280fe480c2115fa6c24f9bc5b3917527f83e5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0GKRQENH.txt
    Filesize

    118B

    MD5

    5ffe51f1c6d98813617d8b04ffa1258b

    SHA1

    bc105bf864e18a1531bcd489159417bd7e3e15cf

    SHA256

    69fa5654e9b47838f51656cf654d095fc4f40f5ccc12e4d0532be89dcbdeff27

    SHA512

    eb4df87e7796cf673efedbd109d0e331d1c23dff5ec15f24c063bad54a72b9b50b8d902919c58be2bfb19c130ccf940539d4b81c8becf2940b916fdc4077f444

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C90JJZY2.txt
    Filesize

    97B

    MD5

    fe75e3510e382f883b540f642ce5b6de

    SHA1

    88d0ec79dbe7a8dd355c4363f2abed69cdd6aa9c

    SHA256

    d3d1e20756424d851adda2617777b1bbcf95a821998e31337aaf32973c03b195

    SHA512

    609168e5007a7dd5e045ebfd72ee0b38038d91c6d0c2986d3b9a267fcd00ae208b45107db3a1155813b193c5db8b0abeb5be9977216e5ee0d7cf0df865d7d11b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TXQRYOQX.txt
    Filesize

    601B

    MD5

    72c47e60ce875528ccdd1a0242ae0ddc

    SHA1

    ea06766d3ae1dcd4ec23f76f1306d3f93ae87c19

    SHA256

    16b40dd09384657789ee7a7581b6db5257b0ad705d21f6abb5e3653b7ebed21a

    SHA512

    872ecc828f19020392c6c736dcb9764307845517fe77ba606f71158b5a394b31ddab08eee17f8380fc733cf66893baf8bbaeabf126c527a4064c3c464569e6fb

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.4MB

    MD5

    25af15bc8c3672441e9464b85fa3742f

    SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

    SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

    SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.4MB

    MD5

    25af15bc8c3672441e9464b85fa3742f

    SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

    SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

    SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.4MB

    MD5

    25af15bc8c3672441e9464b85fa3742f

    SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

    SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

    SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.4MB

    MD5

    25af15bc8c3672441e9464b85fa3742f

    SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

    SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

    SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    1.4MB

    MD5

    25af15bc8c3672441e9464b85fa3742f

    SHA1

    be922be883f20843964af7b34efa1d8ac45b3c34

    SHA256

    8ce52e39e0e6e87d152829f4b402bdf48e01e90ca7dfc17faca824b70a823224

    SHA512

    1c19ff806c8a8accf77abd760b72f3d0badbbbffe8d56c9fd2bae82e4c4301d8becdb61e6435e9fee1d8d99f0f74d11bb513a6e06273ff8928cd78795ab0c6e4

    Download Submit

  • memory/1172-56-0x0000000075811000-0x0000000075813000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1172-61-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1316-65-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1316-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-68-0x000000000043C510-mapping.dmp

    Download

  • memory/1688-67-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1688-77-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1688-85-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1688-71-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1688-72-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download