Overview

overview

10

Static

static

ab6c6ae71a...0f.exe

windows7-x64

10

ab6c6ae71a...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

  • Size

    533KB

  • MD5

    3e2feb71f64528d9b1fc89e659ecbceb

  • SHA1

    8bc722ca6e8723915025bb3b3363e7bc26c3a120

  • SHA256

    ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

  • SHA512

    e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

  • SSDEEP

    12288:xCTPgrnZiJiAaMVkUet7EwBI+APu4UjQLDW:xCTPMAzVkUetVI5u4+SDW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Control Panel 6 IoCs
    evasion
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
    "C:\Users\Admin\AppData\Local\Temp\ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5052
    • C:\Documents and Settings\Admin\Local Settings\qljgz.exe
      "C:\Documents and Settings\Admin\Local Settings\qljgz.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies system executable filetype association
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Sets file execution options in registry
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies Control Panel
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:4388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1540
        3⤵
        • Program crash
        PID:3384
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4388 -ip 4388
    1⤵
      PID:1456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Documents and Settings\Admin\Application Data\Autorun.inf
      Filesize

      97B

      MD5

      e0b7531a87635a0a11dbd9edc02c7bed

      SHA1

      74a50849add50351da332164cbf0ae74a43ce8fe

      SHA256

      20e16cf8b48b2bf3adc59251e7dc293c39eb87922d267a768a403fb76f13d765

      SHA512

      e6cbf6e11ad29d17c219ca44ebbcb43adb76bef3d688f38e43520faded492caff162e249bd477f5441858a26eb567c3f70be3cf3cc181a2fb62aaae4efd23c67

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini
      Filesize

      212B

      MD5

      ca815edf2e481dd83bd0cff16caaf7a7

      SHA1

      523fa767fac1b4061762c0262d4bc09a1fa7dddf

      SHA256

      f2566afa47cadf4017f82ee80f11355989fd722fbbbbed1954392bbe2aa2b352

      SHA512

      cef1cf04432326393cd700b6c9c4d3d816a61505a3ba99bafc935ffd52a78635130a752d091dd6511d9781ac9458a404bcfc69ca0cdec55da418b3b8bf9dace2

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Mr_CF\Folder.htt
      Filesize

      631B

      MD5

      5313060d847a33c356e4e8e286e3de73

      SHA1

      d2b5e89f1fbb96895371e1cde7997ff76814ea9e

      SHA256

      ee482ee2540efc03f1cba611170096f68e14fd4d39bdc8650f3ef6900799fafc

      SHA512

      8c90a8fd5372dadfe95df1deb07bbd14355620dd067b2cce58f76230e2f99129daf65ddc056cab0902ab2b70a4b838a484f62f37b0436e21a963dd1156f551b0

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Mr_CoolFace.exe
      Filesize

      10B

      MD5

      aa890e8b6cea14efee15351d0b023647

      SHA1

      ab262afffd2fc9205c51a3d033f88261d9e5f51d

      SHA256

      e432cd74ed24c9414e067f2df39ecd17837ef30efd1302f7ea0549a5e26b9277

      SHA512

      cb3b61c01a5fd2f904674bf66c8324f4b846c2f5005342edd8acf3c3049935392a11bf79c7cf87c47de1ceb6f6eef47020ec82a7542098ed265247f9fde320db

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Mutant.exe
      Filesize

      5B

      MD5

      d32148ccda3f7a55f0b7f076a816256f

      SHA1

      c03f44c9e7d0169012d356ee866d03e6c2832588

      SHA256

      92e78809a183258b69eb841f6faf7f2ab6e404bc34a6200cc9e17460c33da56f

      SHA512

      742d909eed5aaf0b7f246d7f4a139c14fff7ca1b93d1fe8e6814b1023a8a3b30e7c852ee7865a8803f9f4a80709d4e56d7c51b4df3e12f0dc87bd190b9ce68ab

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\SMA Negeri 1 Pangkalpinang.exe
      Filesize

      5B

      MD5

      e3afed0047b08059d0fada10f400c1e5

      SHA1

      4e7afebcfbae000b22c7c85e5560f89a2a0280b4

      SHA256

      c1c224b03cd9bc7b6a86d77f5dace40191766c485cd55dc48caf9ac873335d6f

      SHA512

      887375daec62a9f02d32a63c9e14c7641a9a8a42e4fa8f6590eb928d9744b57bb5057a1d227e4d40ef911ac030590bbce2bfdb78103ff0b79094cee8425601f5

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Sahang.exe
      Filesize

      5B

      MD5

      7e261f3daad0c1e3f69595637b44c7bb

      SHA1

      e66f4989a31d9bc21323bed5769f1d825e5019b9

      SHA256

      aa63de038d1dd4154ee9a65597d7dee0c1326dc285f9404ec7736781e27c0597

      SHA512

      b20e2c87566b2bfeff37385b6a7a155d9ee3df642dc5d1f73bb7c944067a06e2064c1693268269a5d26ff7caa1f924a47e2f2543a0947f9fe74e16f176f82f2b

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\Timah.exe
      Filesize

      5B

      MD5

      0c5045709c31be521d0c61c10d438b64

      SHA1

      eda07128253fa4eddf17745f26ecee6157ce1ee0

      SHA256

      5952a84b0c9e9814f2746ec1f74274b5fae6eacdd1ad2a47f4e9b79542030380

      SHA512

      7fdecf48f3c153ca40b1370101955dc1905dbc8054d5993638d97711089da2f788415ba616fbf9e0fece3e7df40d897b723d90c7e32be744dc4511bd2bf80e0d

      Download Submit
    • C:\Documents and Settings\Admin\Application Data\explorer.exe
      Filesize

      5B

      MD5

      ab4444306af67246c6bf4665861a7033

      SHA1

      dc1ea19b142476b7c26f76d697044511cc80f955

      SHA256

      3e2acfa11dd607c12bda890812e2d76330d1cf73755afdad7b38d7c883d74946

      SHA512

      1e05b8da2edd1cff518382ce9c07373c7d69371ed413af7648c68d50fd08e477525525d7d7f2c0d851daddafe2b5ecbd08e0f30c9912962e9236fc3b10130214

      Download Submit
    • C:\Documents and Settings\Admin\Desktop\Message For My Princess.txt
      Filesize

      533KB

      MD5

      3e2feb71f64528d9b1fc89e659ecbceb

      SHA1

      8bc722ca6e8723915025bb3b3363e7bc26c3a120

      SHA256

      ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

      SHA512

      e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

      Download Submit
    • C:\Documents and Settings\Admin\Local Settings\Application Data\Polymorph1.exe
      Filesize

      10B

      MD5

      be6aa9304c718cc0662066dc607cac7e

      SHA1

      ced81fdddad9945854d7f9ddc314960d62aa4cc7

      SHA256

      2fc343366abb2fbef9eefb840bd62e74da471dc22e6ea54c845850c37d406d03

      SHA512

      a64474d0f6155bb7dab6d3bb1e504cdfea9231c86e1be561ba603954fc83df78e0d30475355e55d234d4b700a6b1d34ed5b0523f21f28790a65b4584e8891edb

      Download Submit
    • C:\Documents and Settings\Admin\Local Settings\Application Data\Polymorph2.exe
      Filesize

      12B

      MD5

      79a42f3c2c1d4ee83fb3b272d95f91b4

      SHA1

      c264781161c7099449c97c83e070383dee302fc5

      SHA256

      e40701fa689b17d516009beb9902e73366da021a323c5ea494fbce06f1708617

      SHA512

      d065f40115991b3b561aa9e7205e79d7ee134f56cc5a5c4a1ff7679fa06494d20414ead21e21ccd3f8291c44197f302e00f26ee61844bc062691e4c0c4467e04

      Download Submit
    • C:\Documents and Settings\Admin\Local Settings\qljgz.exe
      Filesize

      533KB

      MD5

      3e2feb71f64528d9b1fc89e659ecbceb

      SHA1

      8bc722ca6e8723915025bb3b3363e7bc26c3a120

      SHA256

      ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

      SHA512

      e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      Filesize

      166KB

      MD5

      a81135541c9d4ebce43efa8ad31395b4

      SHA1

      c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74

      SHA256

      96cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b

      SHA512

      b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
      Filesize

      166KB

      MD5

      a81135541c9d4ebce43efa8ad31395b4

      SHA1

      c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74

      SHA256

      96cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b

      SHA512

      b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768

      Download Submit
    • C:\Users\Admin\AppData\Local\qljgz.exe
      Filesize

      533KB

      MD5

      3e2feb71f64528d9b1fc89e659ecbceb

      SHA1

      8bc722ca6e8723915025bb3b3363e7bc26c3a120

      SHA256

      ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

      SHA512

      e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

      Download Submit
    • C:\explorer.exe
      Filesize

      5B

      MD5

      d32148ccda3f7a55f0b7f076a816256f

      SHA1

      c03f44c9e7d0169012d356ee866d03e6c2832588

      SHA256

      92e78809a183258b69eb841f6faf7f2ab6e404bc34a6200cc9e17460c33da56f

      SHA512

      742d909eed5aaf0b7f246d7f4a139c14fff7ca1b93d1fe8e6814b1023a8a3b30e7c852ee7865a8803f9f4a80709d4e56d7c51b4df3e12f0dc87bd190b9ce68ab

      Download Submit
    • \??\c:\Autorun.inf
      Filesize

      97B

      MD5

      e0b7531a87635a0a11dbd9edc02c7bed

      SHA1

      74a50849add50351da332164cbf0ae74a43ce8fe

      SHA256

      20e16cf8b48b2bf3adc59251e7dc293c39eb87922d267a768a403fb76f13d765

      SHA512

      e6cbf6e11ad29d17c219ca44ebbcb43adb76bef3d688f38e43520faded492caff162e249bd477f5441858a26eb567c3f70be3cf3cc181a2fb62aaae4efd23c67

      Download Submit
    • \??\c:\Desktop.ini
      Filesize

      212B

      MD5

      ca815edf2e481dd83bd0cff16caaf7a7

      SHA1

      523fa767fac1b4061762c0262d4bc09a1fa7dddf

      SHA256

      f2566afa47cadf4017f82ee80f11355989fd722fbbbbed1954392bbe2aa2b352

      SHA512

      cef1cf04432326393cd700b6c9c4d3d816a61505a3ba99bafc935ffd52a78635130a752d091dd6511d9781ac9458a404bcfc69ca0cdec55da418b3b8bf9dace2

      Download Submit
    • \??\c:\Folder.htt
      Filesize

      631B

      MD5

      5313060d847a33c356e4e8e286e3de73

      SHA1

      d2b5e89f1fbb96895371e1cde7997ff76814ea9e

      SHA256

      ee482ee2540efc03f1cba611170096f68e14fd4d39bdc8650f3ef6900799fafc

      SHA512

      8c90a8fd5372dadfe95df1deb07bbd14355620dd067b2cce58f76230e2f99129daf65ddc056cab0902ab2b70a4b838a484f62f37b0436e21a963dd1156f551b0

      Download Submit
    • \??\c:\Mr_CF.pif
      Filesize

      533KB

      MD5

      3e2feb71f64528d9b1fc89e659ecbceb

      SHA1

      8bc722ca6e8723915025bb3b3363e7bc26c3a120

      SHA256

      ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

      SHA512

      e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

      Download Submit
    • \??\c:\Mr_CoolFace.scr
      Filesize

      533KB

      MD5

      3e2feb71f64528d9b1fc89e659ecbceb

      SHA1

      8bc722ca6e8723915025bb3b3363e7bc26c3a120

      SHA256

      ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

      SHA512

      e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

      Download Submit
    • memory/4388-135-0x0000000000000000-mapping.dmp
      Download
    • memory/5052-132-0x0000000000000000-mapping.dmp
      Download