Overview

overview

8

Static

static

35424f2a75...a2.exe

windows7-x64

8

35424f2a75...a2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2022, 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35424f2a7588880cd318c667729b0217fa8ae592accef251b9713a396ed653a2.exe

  • Size

    935KB

  • MD5

    499f9f1ef96f7ceaff8822a219e2d721

  • SHA1

    a653e05a45f9f47651af89e34b1f856dbde82820

  • SHA256

    35424f2a7588880cd318c667729b0217fa8ae592accef251b9713a396ed653a2

  • SHA512

    d0e1aab02508455afb453feb0e9e940d107951e4de30a27c00b12c188d0446b34adf985310822e46d6a5b625930881cc7750c66876e96d30f818ffd3c098e5f5

  • SSDEEP

    12288:ELnhM2vZsZ2NDSgB/ZVL5WxewJB6LOgPe2ubegiUAyNiRnj17+o7QLZrvXxNcs:E6WZsgVSqxVLEewn6PPSribR7+hNTXB

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35424f2a7588880cd318c667729b0217fa8ae592accef251b9713a396ed653a2.exe
    "C:\Users\Admin\AppData\Local\Temp\35424f2a7588880cd318c667729b0217fa8ae592accef251b9713a396ed653a2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\csrssv.exe
      "C:\Users\Admin\AppData\Local\Temp\csrssv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1352
    • C:\Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
      "C:\Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /t /im PointBlank.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:432
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /t /im HSUpdate.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://dcn-mode.blogspot.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    735f8c983261ae17c3b090bdd13b340c

    SHA1

    d6640fbf2c7a22c7de877b47a65a17bff287ea16

    SHA256

    7c748a46daab271f0abfb2ba569c1ebf01cc7cc9a8287226eabbc6131afb541a

    SHA512

    397db7e712081c17d3eff943db4df4f869c5f8d21a71af176c80cba3815c5c8ff563edfdc5044c8a4710fa36f79612d572dbeb796d2da9f82b85889c996bd53d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6adadd1700d34fafec05c2b45b8242b8

    SHA1

    952dc2cf4f271d725848befb3b969a714602e742

    SHA256

    0161bc13f52f11c8bdb6b3cb84f80ac80d23865ad54411133f7ac105751cd476

    SHA512

    d0e3d14cacf80d6bb914bb19a56198483b10964955d2fc19caf4d9beed5329681c7120ef0d807275dbceb27be15426fcafbfbbc250c0fa4d710703dd6f4e019b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    833c207edc2348b218a358474e80c333

    SHA1

    f072ce2c37e57853fb5aa8e9d6b7f27fade71b68

    SHA256

    a1e7bf22d5c13dce8afa81004c9be43aa57a86943b0ac83cc269ffa58e5e1ae5

    SHA512

    bd1065cedc75c77d6cf7c567e10ae09c9b4477767fb27dee658c358dabaf4bff5a4ee9031c3cc1ce3baa1bc9c6d9506951671eb98bcebf0b600507b3000786aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
    Filesize

    1KB

    MD5

    fbf776bb3a6532ba443bb65767e74e58

    SHA1

    6a154f88fc49467932daf503d9ed24b5937f3731

    SHA256

    8209678fbbefa2e76f12e7ae6a43f33ec03fc35dbf51405a30e47c53ef63f0a5

    SHA512

    972e6169fdffec5c16133be31f1bffe90de42a1acdf23b023195c60140159757539fd15b038e0143cb0526e6cd95f13c9c8e6f6cd79f11d0373c3262ee574d99

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
    Filesize

    2KB

    MD5

    be753a8a78f817daee022f55d62605d2

    SHA1

    126c5ccc2e885df604ef605794ffefff62192a31

    SHA256

    739b684f284e1a1bc9f9ac940aac058558dbe875e2bea60f11a34a3fdf9e985e

    SHA512

    e3eace8a8b40e6a5b24a5097f1bcbdcf90c8237908a0ce82deb5e773adc172bd0db0c97768a369506eef15ffe96ae4ffe7f5b3858862151d633a4d7e4beb810c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\csrssv.exe
    Filesize

    20KB

    MD5

    7f5831d9f3d7b1ad4965fc726a9ddf92

    SHA1

    b60a6f053bfc9b86f26e0c8004c21cf83ccd63f5

    SHA256

    841d7779224e9a3a96a712b040586be5928f3f1646fe6ce187a9f080a40be3a5

    SHA512

    75dabd08271bc490553c8d0cd8a624a391cb222cbbea7df55d883f21b820fc844d89b9d18b1c39600469c4beae33da46d2c0fd095328ad7020bb9e32a478014c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\csrssv.exe
    Filesize

    20KB

    MD5

    7f5831d9f3d7b1ad4965fc726a9ddf92

    SHA1

    b60a6f053bfc9b86f26e0c8004c21cf83ccd63f5

    SHA256

    841d7779224e9a3a96a712b040586be5928f3f1646fe6ce187a9f080a40be3a5

    SHA512

    75dabd08271bc490553c8d0cd8a624a391cb222cbbea7df55d883f21b820fc844d89b9d18b1c39600469c4beae33da46d2c0fd095328ad7020bb9e32a478014c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JJB82Q65.txt
    Filesize

    608B

    MD5

    e7da0ce50be13c63b104e88cdfcf7596

    SHA1

    8b0f3527d805af5982107d91e22fc4ccb791f7e3

    SHA256

    bcddc644c7a3d7b784964d6ac84b49cee6ebde2d7ca3ed750b26f6f30eb039c1

    SHA512

    01753bf20402ea09dd2222096b7ed97f5116e89d66f9231ac14488466f2d32cd576a4bec0e8add62d83c6fdce65f80fd16db209b5e1be1309f70fa8b0b1dd0e8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\DCN_PRO_FREE_5_11_2557.exe
    Filesize

    928KB

    MD5

    0eaadd57af672c96ef783e2cdde33e22

    SHA1

    94976680286acc8e2ef58aae4a48571ea99401c4

    SHA256

    69d39b50c4097abd42873137fe44da9b3302495ab9dfab4862e6b4aafb7e7204

    SHA512

    85c9f67daac5b087bbc4e91adc6a40a20467d528c3a768dcd43aff395eebe5e1f4c9f1ff24b041ce7a2acbd8fb7c8faca077a7b17b5018a60a24829d53071d31

    Download Submit

  • \Users\Admin\AppData\Local\Temp\csrssv.exe
    Filesize

    20KB

    MD5

    7f5831d9f3d7b1ad4965fc726a9ddf92

    SHA1

    b60a6f053bfc9b86f26e0c8004c21cf83ccd63f5

    SHA256

    841d7779224e9a3a96a712b040586be5928f3f1646fe6ce187a9f080a40be3a5

    SHA512

    75dabd08271bc490553c8d0cd8a624a391cb222cbbea7df55d883f21b820fc844d89b9d18b1c39600469c4beae33da46d2c0fd095328ad7020bb9e32a478014c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\csrssv.exe
    Filesize

    20KB

    MD5

    7f5831d9f3d7b1ad4965fc726a9ddf92

    SHA1

    b60a6f053bfc9b86f26e0c8004c21cf83ccd63f5

    SHA256

    841d7779224e9a3a96a712b040586be5928f3f1646fe6ce187a9f080a40be3a5

    SHA512

    75dabd08271bc490553c8d0cd8a624a391cb222cbbea7df55d883f21b820fc844d89b9d18b1c39600469c4beae33da46d2c0fd095328ad7020bb9e32a478014c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\csrssv.exe
    Filesize

    20KB

    MD5

    7f5831d9f3d7b1ad4965fc726a9ddf92

    SHA1

    b60a6f053bfc9b86f26e0c8004c21cf83ccd63f5

    SHA256

    841d7779224e9a3a96a712b040586be5928f3f1646fe6ce187a9f080a40be3a5

    SHA512

    75dabd08271bc490553c8d0cd8a624a391cb222cbbea7df55d883f21b820fc844d89b9d18b1c39600469c4beae33da46d2c0fd095328ad7020bb9e32a478014c

    Download Submit

  • memory/1144-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1352-81-0x0000000000CD9000-0x0000000000CEA000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1352-80-0x0000000073D70000-0x000000007431B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1352-79-0x0000000000CD9000-0x0000000000CEA000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1352-78-0x0000000073D70000-0x000000007431B000-memory.dmp

    Filesize

    5.7MB

    Download