Overview

overview

8

Static

static

9267c1202a...dd.exe

windows7-x64

8

9267c1202a...dd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    173s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9267c1202a2d920604d2c3c3b008834638ab4e1119fecb8247827bf958573ddd.exe

  • Size

    212KB

  • MD5

    2c967c7cabed448738972194a7a9aa2f

  • SHA1

    2bff6b92ee776dd95ed31a74ebd0444bd808751f

  • SHA256

    9267c1202a2d920604d2c3c3b008834638ab4e1119fecb8247827bf958573ddd

  • SHA512

    646c00cbe10936bf6163f9ced4f833cfdb2a7f53ac39804b1566a461078961c7765b53bbe27d0a7245089ddc57e174e0ff4d13e6d1290d3beaeaff5c2e91d5b0

  • SSDEEP

    6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDma:dHp/urb4A1WdBfd

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies registry class 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9267c1202a2d920604d2c3c3b008834638ab4e1119fecb8247827bf958573ddd.exe
    "C:\Users\Admin\AppData\Local\Temp\9267c1202a2d920604d2c3c3b008834638ab4e1119fecb8247827bf958573ddd.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2708
    • \??\c:\Program FilesHHO8J4.exe
      "c:\Program FilesHHO8J4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5076 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5068
      • C:\Program Files\Internet Explorer\IEXPLORE.exe
        "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
        3⤵
        • Modifies Internet Explorer settings
        PID:2056
    • C:\Windows\SysWOW64\WScript.Exe
      WScript.Exe jies.bak.vbs
      2⤵
        PID:1756

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program FilesHHO8J4.exe
      Filesize

      36KB

      MD5

      bd5fa6b524fbcffb89319e2943418115

      SHA1

      db3c6adb26f3452bee3c0e81b095f26c62310b46

      SHA256

      e004c16743d0be1427a6c85b814c4b883f2b0bb1ad346ad14e7a31595aa5256f

      SHA512

      ba68f7ff41d576914432a149a1dea8b37a960593f23c4a5b8ddf791a7a4967cf78631aef4b06b80e2808db61e36c15dba5f6db31806451669538bcb5b05aaa12

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs
      Filesize

      486B

      MD5

      0dfd74dba9aac7f976d1675cf761dbdb

      SHA1

      6cf013c2ec46df8d62a6c71f068887bc60c935fb

      SHA256

      0e0ec4bf2329089cd3b664237c748ecee4c2229bc4c13f7d2d3f5c1b3b1ba6f6

      SHA512

      7f68d26585e97de335ef4173e99a7c6d71407041c1402f0bcaee1ff858798fab4f5c2cf6844cf69cdb42fd4c23e675e07101399ea2e1349739b7985fcaf303d3

      Download Submit

    • \??\c:\Program FilesHHO8J4.exe
      Filesize

      36KB

      MD5

      bd5fa6b524fbcffb89319e2943418115

      SHA1

      db3c6adb26f3452bee3c0e81b095f26c62310b46

      SHA256

      e004c16743d0be1427a6c85b814c4b883f2b0bb1ad346ad14e7a31595aa5256f

      SHA512

      ba68f7ff41d576914432a149a1dea8b37a960593f23c4a5b8ddf791a7a4967cf78631aef4b06b80e2808db61e36c15dba5f6db31806451669538bcb5b05aaa12

      Download Submit

    • memory/1756-139-0x0000000000000000-mapping.dmp

      Download

    • memory/3060-134-0x0000000000000000-mapping.dmp

      Download