Overview

overview

10

Static

static

8

33720571be...67.exe

windows7-x64

10

33720571be...67.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667.exe

  • Size

    983KB

  • MD5

    13594cc201f9fe3cc25c08fbd75b6192

  • SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

  • SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

  • SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

  • SSDEEP

    1536:cd04boUzdIBsZUpUQSe1sjL/91IqmM4nouy8:cdJboUpEsueFssP11I5Mwout

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667.exe
    "C:\Users\Admin\AppData\Local\Temp\33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1964
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    8cd381eca2d5342e36b1e65a9b7f82d5

    SHA1

    d9b529576e1ea26e8daf88fcda26b7a0069da217

    SHA256

    17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

    SHA512

    c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    23c896e3fc14b0352780bf8710ebd27a

    SHA1

    f80cbc14c2447f02c067cc2c126e105b552d472b

    SHA256

    df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

    SHA512

    230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    ad5d87428b42db032afde1ed5ad22231

    SHA1

    e44f33775b291dc242c8d104b0185c52df89d89a

    SHA256

    6bc9f982abeffa9b9c1648077ae3bf416362e28893be5f418e61ce9e1773e991

    SHA512

    268fb8f4e8950f8691d8c1866a6577573670e2d7efcdd29feb3889c47717b403fe865d342e5cb315221857e2e11ab8c4041a3f92c73967133d1c82175614e713

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e51608ff1bd1a91a1b05fa1b3d48330

    SHA1

    0a390a17a7fea7735b7e82637113fbdfaad69d0c

    SHA256

    997acd84cede8b217adb3001bfc1b11a55502025748d4fbfa2429a2017d2b251

    SHA512

    f583181bda0dc03f2e69fa855a4c75140c23af414fddea84c7b32582ff5bb535761fc9e101eac5fda3cacdd7d801c287f49d75873bd225e6eaba7d80c91d015d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2be4a4fa405762ef4ab19c3990c8cbdf

    SHA1

    4ffba7437f748dd464af694ba69b89eaf1e326a5

    SHA256

    cc4cd6649c3a5b707adc76dbcae15552363b391b6c2948e520f126772b8902de

    SHA512

    6bff31a36008b37fe66d0f2d5e4c7a976cdecea7e52d16e72c29d753b215ceee27137d8a12c2458b50b00c65a402168e7f8a41932f56077f2304474d7ce38e00

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    01782f4120606e0fe48dad5c31725717

    SHA1

    1b63a1af53c2af15453793c0d3985de9ef6e1e26

    SHA256

    00e995c35192651ef50685eae0aed11d2271e5245bc9ba323b6c0bb5483c48a5

    SHA512

    f78ab8c001548aefe04df99ed056f85325a94836c8d81c500244a0f60e661655e788be66873609a8df09b75ca4e83768821613b57d66ff9374fb05461a664774

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    c1176b6624c5f10c7217b3ff37d57602

    SHA1

    57b4e717c15b45754ae9813641c246d5f10f4c94

    SHA256

    2791b172d7eddaae95df7fbadd61d283aceb9415cc7989557494bdae7ce837cd

    SHA512

    b566d49250767f9d5cc4d76023d79d9e71dd72cee0d04f40c42fff287da043db9a93b9e477acaa2392f0c747f8f985d3f8e42ca6bf79a920bbc78bb309616a82

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    8e58d4cdd66bd4806a385c3f216a62cd

    SHA1

    553bae50e2b1b907d52058656fbc7c2591a702a8

    SHA256

    382482a1da14ea5323f697f1dc263750730c0fee82d5bf53516fe93e21a2d965

    SHA512

    bac1b1523c666fdae8ea24d81f2def9fe7a01a1cae64dd634ecba94be79aac6ce4eeaeb739a6323fc42de95a3886986d2fde33457e9ef4f677baf793c285c346

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9H8MFEWK.txt
    Filesize

    601B

    MD5

    0ec13b425e3a719671d5b866ffee1228

    SHA1

    efc45e9baa05ca0e1879d15ee3c068bbf958f457

    SHA256

    d3ce18e272ae434d54b661700c100b50a7d1829e8b8c548f36c3568d26ab1292

    SHA512

    28a7ba3447e6684f6e43b722d0c65868ea02f498819f79eb1e5a698d5f694061047c19d1edbe6c15744a1fd9d8e7477c4436ab18ed640a2b2003e2547c730d11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WXX39PPZ.txt
    Filesize

    97B

    MD5

    a96c897ff192f24433b056aef625baf9

    SHA1

    7c75c70fda1e8d092dde7c51fdd418eb698e201b

    SHA256

    e62aa686c8acc8394ef7e47b6e491232e9ecb402bd7bf7f41a0d76136ef8a7c5

    SHA512

    f756beef1aa0079d5e44d5d99f471eaff6fd62c1880d6af5a1b1ee2811a1c7db7d2845f55b917e3ed2f6074996c5191abc3075312b1de6c6239ab4a5842af2d9

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    983KB

    MD5

    13594cc201f9fe3cc25c08fbd75b6192

    SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

    SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

    SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    983KB

    MD5

    13594cc201f9fe3cc25c08fbd75b6192

    SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

    SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

    SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    983KB

    MD5

    13594cc201f9fe3cc25c08fbd75b6192

    SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

    SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

    SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    983KB

    MD5

    13594cc201f9fe3cc25c08fbd75b6192

    SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

    SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

    SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    983KB

    MD5

    13594cc201f9fe3cc25c08fbd75b6192

    SHA1

    c1844f7f46ab35e76e82b371c8e1eba5a749ea8a

    SHA256

    33720571befd5f3e12b781fa94833929d61253e2dc1ad05aece4a1bb4e598667

    SHA512

    ffeb469f4e0bab30cf24126d576563771169f49b37df15cba4a27243ddc9dfd262c672b6dffb2cd103e2c5ed7bf264cf5550117548460a4b5661794ec3933a31

    Download Submit

  • memory/1232-62-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1232-54-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1232-57-0x0000000075C31000-0x0000000075C33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1964-74-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1964-73-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1964-70-0x000000000043C580-mapping.dmp

    Download

  • memory/1964-69-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1964-86-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1964-87-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2024-67-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2024-66-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2024-60-0x0000000000000000-mapping.dmp

    Download