Overview

overview

10

Static

static

27412da38f...63.exe

windows7-x64

10

27412da38f...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 10:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63.exe

  • Size

    244KB

  • MD5

    17c90fb4c2d6c8503a52212d68740319

  • SHA1

    fe8483c33b14ca013da36afdc1278ac220b8bd3d

  • SHA256

    27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63

  • SHA512

    c978c6303a89125723aeb2cadcbeb945ed1f7341bb956f231f6c3104c02f4aa68a61041a59ee800edcea1623bf8b76bd6e84f6e987749462ab43ef0cc07af74a

  • SSDEEP

    6144:1ND+xKDtDAr6GBzeS5bzQiOTn+fD3sUGMBjMu:KxCDAm0eS5bzQiOTn+fD39Bj

Score
10/10
adwareevasionspywarestealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63.exe
    "C:\Users\Admin\AppData\Local\Temp\27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\24112022.exe
      "C:\Users\Admin\24112022.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Installs/modifies Browser Helper Object
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3968
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\cckwfsmm\cckwfsmm.dll
        3⤵
          PID:3276
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /s c:\Users\Admin\cckwfsmm\cckwfsmm.dll
          3⤵
            PID:2860
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4988

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\24112022.exe
        Filesize

        244KB

        MD5

        17c90fb4c2d6c8503a52212d68740319

        SHA1

        fe8483c33b14ca013da36afdc1278ac220b8bd3d

        SHA256

        27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63

        SHA512

        c978c6303a89125723aeb2cadcbeb945ed1f7341bb956f231f6c3104c02f4aa68a61041a59ee800edcea1623bf8b76bd6e84f6e987749462ab43ef0cc07af74a

        Download Submit

      • C:\Users\Admin\24112022.exe
        Filesize

        244KB

        MD5

        17c90fb4c2d6c8503a52212d68740319

        SHA1

        fe8483c33b14ca013da36afdc1278ac220b8bd3d

        SHA256

        27412da38fde9ef39250693ad281dbb222b83a032322460fe3f0144ee80b0d63

        SHA512

        c978c6303a89125723aeb2cadcbeb945ed1f7341bb956f231f6c3104c02f4aa68a61041a59ee800edcea1623bf8b76bd6e84f6e987749462ab43ef0cc07af74a

        Download Submit

      • C:\Users\Admin\24112022.tmp
        Filesize

        106B

        MD5

        674e88b726353f6a2cabd4359176f65b

        SHA1

        c1d09063837b46390120b6a7d55697f695dfa6da

        SHA256

        8677e683e8bffb8a65cede2fcd0977a377d3640aa5a140a1e2b12c79afa15e1a

        SHA512

        0735a0123d03b18869ba3f9901c0baf913504687cd79911760c86e2b504ad79707796a6f62c26c4ca8c371c755b8dd1513e954908a580b6d972699513f1e9221

        Download Submit

      • memory/2860-141-0x0000000000000000-mapping.dmp

        Download

      • memory/3276-140-0x0000000000000000-mapping.dmp

        Download

      • memory/3968-134-0x0000000000000000-mapping.dmp

        Download