Overview

overview

10

Static

static

abbee632b1...fc.exe

windows7-x64

10

abbee632b1...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc.exe

  • Size

    444KB

  • MD5

    63743cbbcc78aad78ea5e77ebdf97f08

  • SHA1

    7f5c36955707ee36aaaf4674340ca367a9e94cba

  • SHA256

    abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

  • SHA512

    ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

  • SSDEEP

    1536:9NhENNo2oa5pHwAVvu0IysOPv3YdI3EpCK+V5iR/yKoDn66XujshkGXE7rFKh:9gN5ogyJ0XgdsEIKlyKo26Jkj7rF

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc.exe
    "C:\Users\Admin\AppData\Local\Temp\abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc.exe
      "C:\Users\Admin\AppData\Local\Temp\abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:824
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1256
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      8cd381eca2d5342e36b1e65a9b7f82d5

      SHA1

      d9b529576e1ea26e8daf88fcda26b7a0069da217

      SHA256

      17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

      SHA512

      c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      8641ac0a62e1e72023be75ceed4638a9

      SHA1

      a347dbd79e99d81cdd6ec77783008fec9f7e7d42

      SHA256

      d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

      SHA512

      9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
      Filesize

      472B

      MD5

      176c5bdeeb799ec212e8b21126aa58d5

      SHA1

      02c76719828821643ec84cfe61ecb4499838021c

      SHA256

      eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

      SHA512

      a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      3296a677fb14aafbc4da8bc91f9a0424

      SHA1

      190f744fb38839b37eb08d8d85efa923f44e30cb

      SHA256

      0d501e6a1b9631a74b6f3ac0f6ee1a999c5d92c1c22cccd96058b2f66cd1bf56

      SHA512

      99b1f5fe816fa7e5f73a98bde38105a5a9f017819c5c22f7beb0340fb3a78473c33860f2d3c6be3244ca8e8fdf25085b628a17c25fbc858f7802d6d86f35b665

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      487941e41228a5ea1a358e41f17870c3

      SHA1

      5802d07fb73d450e58a55ae13fd59309882f8227

      SHA256

      ce05588fb1d883ba0bbb16d4e753e47ee3d37d592616c1e06157c0b5c10ea502

      SHA512

      e4c742eb97f8b13825b123bed2c381e46d4e984a4259bc531717503f738643bc4363034a6417c17baf8d311700b8fed4b6ac8277ee5b9133831010fca31d2363

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8e9d20db7b19cb6ad356f33410c331e5

      SHA1

      b8646a4d6a7e829a5c5854943508df85ea9fb629

      SHA256

      e28367a7f4459e7b3d32e49acf026ebf5bd259fbd415bfec280cfd0da035b074

      SHA512

      3124c31b5db450f9c066758e66d5cb38ecec85a52df42d243d579935a680a70d21986ce39a08e2e597afa49ba2f5e0aadacf0345c5a553abfb299b11c44dd2f3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8453f8282c1d3f4c7cb267a1402e0ee7

      SHA1

      7c4bc5f5ab60a2e867894d67d61bbcf04f8f6a51

      SHA256

      949bd48f82eb4ce8df606ac26182563e37ca9df5445e56528ca73713996c7d8b

      SHA512

      df4f2938593db575870663c2025ec7c9c3a6235c2683b43fea3640b680794b5bfbb787db379b9067db3b34338d1ce8e014acb9fb3b5e2c5b86fa941044f04010

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      4f491ac86b78006cb64e64d6d23c7b91

      SHA1

      e67e125a076465092db1ba5d0729c44a2947de72

      SHA256

      02c74c90bc16ae09baab785666bfa8dbaeb3a9ec4ab7c0d11c3db5e66470ea81

      SHA512

      db47ca408a36a92dbf0ba3ad09562c7c67f744bc25267a8b6f96ebb43033d4002c3c372ce759a57b57287fc9a788368a0fcd683ca2c16e3e5de32da92166e498

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
      Filesize

      480B

      MD5

      91548739b1ffd799f3580da96dd5660e

      SHA1

      3ed7106d64f35b75b41e915344111a3a11db2176

      SHA256

      d88d7c03bd4f53ba11ed457437ac0a61ccbe77463454dd1250fbbd7c2a820ab3

      SHA512

      74bada64eae4c6d3c2dce609899ee37dca3c21e952c12312c35224433c89a071d0fff66ee7ef738ab70db7494f7c488b824b63e794d027222339a030b83a7b3f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R041LFUE.txt
      Filesize

      97B

      MD5

      87aa9e45c7b3c83cbfaaaf725c3d91b4

      SHA1

      ca2f5c9d2d5720c713882d52ad21c44d86d075dc

      SHA256

      72232760fd144d64c12e00cbfeae8d40eedd5e33e7ca241b25c44ecf26c28b3a

      SHA512

      d077ccabec0f64337634e6808f48272452fb166da7d62bd84b7632bc186ddb71ddff2a2894d5974030d5cac7a7456cf2694d5a7c4a864a3822f5137cd737c140

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • \Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • \Users\Admin\E696D64614\winlogon.exe
      Filesize

      444KB

      MD5

      63743cbbcc78aad78ea5e77ebdf97f08

      SHA1

      7f5c36955707ee36aaaf4674340ca367a9e94cba

      SHA256

      abbee632b1274612745e455cbecec3862ed85be9ad34a0a8cd33bee3814908fc

      SHA512

      ae67177632f5674700b10589e6aeec3bdff1f28220defc75ba28f089994acb16be56386f605653d5ee45ad0c5d7f2b37339f8902fc3692c46d062eb785ea9b66

      Download Submit

    • memory/684-68-0x0000000000000000-mapping.dmp

      Download

    • memory/824-90-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/824-87-0x000000000043AAC0-mapping.dmp

      Download

    • memory/824-105-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/824-91-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/824-92-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/824-96-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/824-86-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1320-77-0x0000000000417520-mapping.dmp

      Download

    • memory/1320-85-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-54-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-65-0x0000000075781000-0x0000000075783000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1732-62-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-61-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-59-0x0000000000417520-mapping.dmp

      Download

    • memory/1732-58-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-70-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-57-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1732-55-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download