Overview

overview

10

Static

static

8

85ed2a26c7...42.exe

windows7-x64

10

85ed2a26c7...42.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    181s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe

  • Size

    1.0MB

  • MD5

    516a264d8e43a5ddd5353693b300e4d5

  • SHA1

    d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

  • SHA256

    85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

  • SHA512

    c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

  • SSDEEP

    1536:SNIkp2IdtEo1gbsSklrZWNXuQHPGrQ+wEaYNyZf/3Qcn6aNirob1e4p24JMdWqhM:9YvEo13SklFWNVerQ+KMspBMgX24iE

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables taskbar notifications via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
    "C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      2⤵
        PID:616
      • C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\\svchost.exe
            4⤵
              PID:676
            • C:\Users\Admin\E696D64614\winlogon.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Modifies firewall policy service
                • Modifies security service
                • Modifies visibility of file extensions in Explorer
                • Modifies visiblity of hidden/system files in Explorer
                • UAC bypass
                • Windows security bypass
                • Disables RegEdit via registry modification
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Sets file execution options in registry
                • Drops startup file
                • Windows security modification
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Modifies Control Panel
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:736
      • C:\Windows\system32\wbem\unsecapp.exe
        C:\Windows\system32\wbem\unsecapp.exe -Embedding
        1⤵
          PID:856
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1480

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        2
        T1031

        Hidden Files and Directories

        2
        T1158

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Modify Registry

        12
        T1112

        Hidden Files and Directories

        2
        T1158

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        3
        T1089

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • C:\Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • \Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • \Users\Admin\E696D64614\winlogon.exe
          Filesize

          1.0MB

          MD5

          516a264d8e43a5ddd5353693b300e4d5

          SHA1

          d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

          SHA256

          85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

          SHA512

          c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

          Download Submit
        • memory/616-56-0x0000000000000000-mapping.dmp
          Download
        • memory/676-76-0x0000000000000000-mapping.dmp
          Download
        • memory/736-99-0x0000000000400000-0x0000000000443000-memory.dmp
          Filesize

          268KB

          Download
        • memory/736-94-0x0000000000400000-0x0000000000443000-memory.dmp
          Filesize

          268KB

          Download
        • memory/736-95-0x00000000004416E0-mapping.dmp
          Download
        • memory/736-98-0x0000000000400000-0x0000000000443000-memory.dmp
          Filesize

          268KB

          Download
        • memory/736-103-0x0000000000400000-0x0000000000443000-memory.dmp
          Filesize

          268KB

          Download
        • memory/756-72-0x0000000000000000-mapping.dmp
          Download
        • memory/756-75-0x0000000000400000-0x0000000000435000-memory.dmp
          Filesize

          212KB

          Download
        • memory/756-85-0x0000000000400000-0x0000000000435000-memory.dmp
          Filesize

          212KB

          Download
        • memory/1156-65-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-58-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-74-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-66-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-64-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-69-0x0000000075BE1000-0x0000000075BE3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1156-57-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-62-0x000000000041AAC0-mapping.dmp
          Download
        • memory/1156-61-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1156-60-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1396-54-0x0000000000400000-0x0000000000435000-memory.dmp
          Filesize

          212KB

          Download
        • memory/1396-55-0x0000000000400000-0x0000000000435000-memory.dmp
          Filesize

          212KB

          Download
        • memory/1640-83-0x000000000041AAC0-mapping.dmp
          Download
        • memory/1640-93-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1640-92-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download