Overview

overview

10

Static

static

8

078bf6fad8...de.exe

windows7-x64

10

078bf6fad8...de.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    199s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de.exe

  • Size

    703KB

  • MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

  • SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

  • SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

  • SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

  • SSDEEP

    1536:cd04boUzdIBsZUpUQSe1sjL/91IqmM4nouy8:cdJboUpEsueFssP11I5Mwout

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de.exe
    "C:\Users\Admin\AppData\Local\Temp\078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:324
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    8cd381eca2d5342e36b1e65a9b7f82d5

    SHA1

    d9b529576e1ea26e8daf88fcda26b7a0069da217

    SHA256

    17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

    SHA512

    c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    23c896e3fc14b0352780bf8710ebd27a

    SHA1

    f80cbc14c2447f02c067cc2c126e105b552d472b

    SHA256

    df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

    SHA512

    230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    598f7faa334e491959fe9bf491437e1d

    SHA1

    33fc456b5c35524dec158e1b0910291d56399a41

    SHA256

    d7ba4bee8a9007456197fc0238782674cb7e8a9b87293bd25badd6e8ecf2f884

    SHA512

    5f20d4d1aa8a352743d11fac239060a75f0a76a7f633c192ddea384098fee4c764a9d4951f37d96fb824370ba9aecf6a484763de98178d5b03cc6c5797cce5b6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    52a3c2388056388f5c61c69665d4d35e

    SHA1

    030b8042f0d21c151b50240de0b645e4095b1c40

    SHA256

    d1a1a2a4eaa7f802356f346c12fc227bcd0a6288cbc4062dd75f566c5a426023

    SHA512

    3892376da93ee06ce2497a712da0d10e9ff56b40fc54a575ab2dc883f952e57336c2a6ed421ae1221448c86e68ab10ab7eb9c2a49d34b939ebdef2a7b65a4882

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e840398bd0fa1a5760ba4b2a94251a9

    SHA1

    e092e251bee4ec3137e726ddbe08ebdcf0fcf392

    SHA256

    4328ff630db3b23065f8326fd01a9dcbcaa2d68c27ff7c507dc7a4c6b0e13aa3

    SHA512

    cacae9c373b3ac5932ea4dc626287347f49bfd650952efce7e0922a3aa49e747e38a9b00a0552f661f613c6beddc452491dc83726277a37fd302f89ef396c932

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    063d1ad04ab61b3eb05ff3be02175f7a

    SHA1

    ef00f4d1546ac62206ae9ab0ed787d434427bf94

    SHA256

    f105677175d98300a7ffeee048f6a913deff66437e77b5d923550c8e1137d837

    SHA512

    898026ee77a57a18c551cf628f5e2529158c8626fcf87262f688fd10410a37b28cc4bde637c4877e09d5a6ff5b3039568dd7f2d89205f478e04be56900b0acc7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    2e4f55ede5295a4a722797639cedbc49

    SHA1

    9b4c9da33f5943414b1ab6c10fc3adbde40f63f3

    SHA256

    cf0f0829a22a5d5e47b891ae8f5c754ca4bc8c486d79ee4a864958722f5cd1d5

    SHA512

    8918f2affada53b5f9f2be07268b3cafe90db3982a8e933db75fec99a609b78bd143466dcb79794bd41051d41d05698cd0782859c28b786e2c23338a634b8d52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0VAXSDGD.txt
    Filesize

    96B

    MD5

    772889005843c7724bb603b1c85dde96

    SHA1

    70dec89fdc25991779745df844c4bec79578db45

    SHA256

    6145fbb9d61ea2f2274960c0ca4f363917f3cbea93d3c8cef2ea67da448f0bc9

    SHA512

    f4b9f5c21bd53e516bb59820226e3a9505a995220fe677dab98f1578c70495310facb9e367989cb7b908346fcb60ec739e223c4f8a902d0375580c648a25c4a5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1UHPHZV0.txt
    Filesize

    601B

    MD5

    38e9cf045b53ff7b1aef6a3715d06c1d

    SHA1

    524cc17d113dc267d645762bbcd25a809910495f

    SHA256

    50b1251217e3560548d2ac62b6a5df27d53bbd58ae30e0fe5be890940e069ba9

    SHA512

    f14b175e57cdd7008c6abd42499bd45ebb7aea5457ae17ca1dbe3059994289d0826fdcc92c68d5d2af06b9c2d4bcaea57fcf9eb4f02a24c025bd721546a448b9

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    703KB

    MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

    SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

    SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

    SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    703KB

    MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

    SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

    SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

    SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    703KB

    MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

    SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

    SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

    SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    703KB

    MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

    SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

    SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

    SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    703KB

    MD5

    cac2bd81251cee7a5e5d5e06210bc9ec

    SHA1

    7ce442841a27ae9f3500909bbea70895bd3d456b

    SHA256

    078bf6fad81012be297caf2e1dc968b46013d59a530e02d4f1045b40f6a5d8de

    SHA512

    465c29ddafa10c7a86d615ec8130a50d0e39ea41721e5bfee49d4674c931659520622c21613d6680932276314ac50c676fcd5d28905388cd48a90f6a6aeb811a

    Download Submit

  • memory/268-60-0x0000000000000000-mapping.dmp

    Download

  • memory/268-68-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/268-67-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/324-79-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/324-70-0x000000000043C580-mapping.dmp

    Download

  • memory/324-69-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/324-73-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/324-87-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/324-74-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/828-62-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/828-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/828-57-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download