Overview

overview

8

Static

static

1

dab2c02acd...00.exe

windows7-x64

8

dab2c02acd...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    189s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500.exe

  • Size

    201KB

  • MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

  • SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

  • SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

  • SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

  • SSDEEP

    6144:IDpoe0GbZS8iuS9JtXehhQxGoyvCxlH3+q2zWf:vGcxuSj2vq3+qVf

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 18 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500.exe
    "C:\Users\Admin\AppData\Local\Temp\dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500.exe
      "C:\Users\Admin\AppData\Local\Temp\dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Users\Admin\AppData\Roaming\snchost\snchost.exe
        "C:\Users\Admin\AppData\Roaming\snchost\snchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Users\Admin\AppData\Roaming\snchost\snchost.exe
          "C:\Users\Admin\AppData\Roaming\snchost\snchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
            "C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
              "C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\brooklimes\blubber.ee
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\brooklimes\blubber.ee
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\snchost\snchost.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\snchost\snchost.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\snchost\snchost.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\appdomain\appdomain.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst30E3.tmp\Candice.dll
    Filesize

    20KB

    MD5

    732cbd77a56a2f8fee746ac1afaeed01

    SHA1

    78cb5f3fa2453b6fc1c2b8096866ad89393b8ac8

    SHA256

    e422d969a61b497b22eda547ffde52581685a2fd499abae8694adbbc64eb8d9d

    SHA512

    71da534abcaa3a0c13f486e1471d1ccf71232f0034ddb6381b840b56bfb31f27ec2ab54110f0fd0fe868bd5a0f703a9bc6164a012b00efa3eb1001582fdf4b44

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstB399.tmp\Candice.dll
    Filesize

    20KB

    MD5

    732cbd77a56a2f8fee746ac1afaeed01

    SHA1

    78cb5f3fa2453b6fc1c2b8096866ad89393b8ac8

    SHA256

    e422d969a61b497b22eda547ffde52581685a2fd499abae8694adbbc64eb8d9d

    SHA512

    71da534abcaa3a0c13f486e1471d1ccf71232f0034ddb6381b840b56bfb31f27ec2ab54110f0fd0fe868bd5a0f703a9bc6164a012b00efa3eb1001582fdf4b44

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyFBEE.tmp\Candice.dll
    Filesize

    20KB

    MD5

    732cbd77a56a2f8fee746ac1afaeed01

    SHA1

    78cb5f3fa2453b6fc1c2b8096866ad89393b8ac8

    SHA256

    e422d969a61b497b22eda547ffde52581685a2fd499abae8694adbbc64eb8d9d

    SHA512

    71da534abcaa3a0c13f486e1471d1ccf71232f0034ddb6381b840b56bfb31f27ec2ab54110f0fd0fe868bd5a0f703a9bc6164a012b00efa3eb1001582fdf4b44

    Download Submit

  • \Users\Admin\AppData\Roaming\snchost\snchost.exe
    Filesize

    201KB

    MD5

    cae7cdec6c497d531ee7be54f4ffe3ec

    SHA1

    83077a84240f5dc88b678dc054e2ccbea0ab3e14

    SHA256

    dab2c02acde0e527c1c7c4e85cc5127b2b0d8ed3fd5482c8d90afb1b0c8ba500

    SHA512

    4ac5e07a64b6b0af746d518bbf242120cc9a34e8871fe6e055efbdec2c749a1981fe3b715eb7d9646df45911b7565980ba281eb647016512a33e7f429f110adb

    Download Submit

  • memory/320-73-0x0000000000000000-mapping.dmp

    Download

  • memory/832-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/968-91-0x000000000040CCEF-mapping.dmp

    Download

  • memory/968-105-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/968-127-0x0000000000230000-0x0000000000270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/968-125-0x0000000000230000-0x0000000000270000-memory.dmp

    Filesize

    256KB

    Download

  • memory/968-94-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/968-96-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/968-97-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/968-106-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1620-126-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1620-124-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1620-123-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-118-0x000000000040CCEF-mapping.dmp

    Download

  • memory/1688-99-0x0000000000000000-mapping.dmp

    Download

  • memory/1764-61-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-59-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-77-0x00000000744D0000-0x0000000074A7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1764-63-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-57-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-65-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-56-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-66-0x000000000040CCEF-mapping.dmp

    Download

  • memory/1764-68-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-69-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1764-71-0x00000000744D0000-0x0000000074A7B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1764-75-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download