Overview

overview

10

Static

static

8

43caf47dee...72.exe

windows7-x64

10

43caf47dee...72.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072.exe

  • Size

    458KB

  • MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

  • SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

  • SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

  • SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

  • SSDEEP

    1536:cd04boUzdIBsZUpUQSe1sjL/91IqmM4nouy8:cdJboUpEsueFssP11I5Mwout

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072.exe
    "C:\Users\Admin\AppData\Local\Temp\43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1548
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    8cd381eca2d5342e36b1e65a9b7f82d5

    SHA1

    d9b529576e1ea26e8daf88fcda26b7a0069da217

    SHA256

    17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

    SHA512

    c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    8641ac0a62e1e72023be75ceed4638a9

    SHA1

    a347dbd79e99d81cdd6ec77783008fec9f7e7d42

    SHA256

    d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

    SHA512

    9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    176c5bdeeb799ec212e8b21126aa58d5

    SHA1

    02c76719828821643ec84cfe61ecb4499838021c

    SHA256

    eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

    SHA512

    a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    a11df036197302afc2f98e174b80ad9f

    SHA1

    006365d5fe21621a9fd1b3183b1fbaf5e20fd83e

    SHA256

    4062c5bc67d1b6dcda6f5d4bf7e6646428d7e90ba082158a120eb25ae9f776ee

    SHA512

    ca7e9a14977a11077e1a482ef2625454343ffe517735a907a6071c6468a42994051339761aa078f2482f83660a9ca27ef58fae523c91a2540a235fbec7012b86

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4eac5b7683d9f139a868ef472d5562f5

    SHA1

    1db8d139b821ed8c788b66b59b8339f95c484c9b

    SHA256

    da85f0d4017378d2c2a42a75f714a31c9d1897ba8adceb5a2e0302a52d3f7a21

    SHA512

    af3e6320b1e7d23532c07e4372ae783aa09ca6e19f629a62502c18c92c36b17016ca592fffc7a2804e553207f4c80174e8b925ceeb20918e6e0a29bc58571d51

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    966e6de7cbcadb748651cc871e3ed736

    SHA1

    b6da8b19a7b4caef63c19565ad96bdcb132eb276

    SHA256

    e876f08b558ae3a23e301f986ab53272a76a7d2cbf042258334f7546e090ea89

    SHA512

    ae365854b31bbc7e86052bfc1a70adb5fcf7ac79809f0ff457b99cdb493a61b2434b5fa6b0da9e5012fcb0fc664b9c721e643ed8c7e56b60775cbda52fd3864a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8b13864b73162b183b43a5202eb4e58c

    SHA1

    c146b40a61b3267fce76a0e322f2246de0d02c9e

    SHA256

    f7bc2f8fb8a48837bd2ba6d4861d5d05dc86d243ca180b886a32b0cbbad04586

    SHA512

    3e7da05ae8a3d21690b7d315555db0052e0405d8a37000563f8d2c9a565f2fac8cc1441e8941794218e83cd3208b43d863de76c58be3fa81559f5d4993e0687d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3b742936eb5ca0bcd46134f5bdca67ab

    SHA1

    9bc8389a424326c2391f215df1e227c3a5f66a6b

    SHA256

    a2c35d989457e3e5ba8b661c20e3f4a00896765bd92d93a86a77c0e13f48ac7f

    SHA512

    019b87cd5a39b0b877df89278b0699b2d320e0bba396d978bf27903bc0a128efe6003b49f2de28551ba0eab4cedb433bd9684d5539279e84259cd2ede14f3d11

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    705754c25659d596912592ad861c2e22

    SHA1

    1022ecd7f776d0bac5eb062f3ae5144b502b3e08

    SHA256

    15ce9c356748cff70edb77eb1354c09e85249378f40bc846365ad9bc7026055b

    SHA512

    26fe16990d397dc86e27cb2d69ad367aae229da17523b5b5129896c47edbafaa25485057dd96509f02461ffaab54861e4a5f32fafe1b8810bd7ff2a869377d94

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    95e7926e468f635774c00f6cc440ed4d

    SHA1

    ae223518faf9e11152c81f160249d32023f5d062

    SHA256

    3ce878512bc61c9aa7c6b65bbc115961b8eef5833699d97914706775dbbef85b

    SHA512

    bc7af92fa55d7f4dcd9f9521f170656c83f04514feeee4cdd369f56a1e595a3c3d095f8352d48828bb171ae0c5d5eb5c4566566ed784dcd54018a29635980204

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    560a1e10ba972690c4960b5c767b58a3

    SHA1

    24c5f2e946760e881024b01877c27e45b1096c23

    SHA256

    6c6aefd9d5ca5cf5f08ccc629374d4beb1c04c0290e59fb70338ae30d768c521

    SHA512

    d22c4df19dd7d35060a7e4883911c6b99aa38d9c57561a1e513b23ea07afce074b2c1a33c61051a9b1541e4c0d13f3195e6e12e9dabb28c947a25c47d015511e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\02WAXAK9.txt
    Filesize

    97B

    MD5

    089d948391340705d45666d5d0d4411e

    SHA1

    a19d0bb7869d2c3ef514dfac1318a34e4f24cd5a

    SHA256

    fdba9f65af0bca92cf67e467c7669fd17642f417f6f8d1beaeae2f0ce253c439

    SHA512

    d42d11614f572809e3f22b249402c47a040914bfd6bbd36ad3fe3117238d453f5148b71288981bd3cee472a843aed5985b6ef80ef6e0d7b00b04884f08905ba0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IXCG8CNQ.txt
    Filesize

    118B

    MD5

    c9e6150bbe1a3fe8e22130a3fdad2863

    SHA1

    3fc7a4cb8fe7598b0ad522d01724fd635c2098fb

    SHA256

    2ccf31be2c706fabf218e52de4314fa58759972b23374184f7a5dfe1667f9b78

    SHA512

    c16cf4ced35d4f60ccf9fac4317e5aeae7d1172aee99be3588d9f541c7f8f78118d26146fe0599e38219ece0f26b74e8f420cf0568ebfea4f72072a9e4e464ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P9QTXQR9.txt
    Filesize

    599B

    MD5

    d2683b20949ce2db3f371e907a6c3bd8

    SHA1

    514ecddf4d3979704dda90a33dac1819cd59292a

    SHA256

    1f0ae5af5ac996ef8d5a6bed547934218c909c7c7f6b5147d03bc161a0f42ef1

    SHA512

    0091abd9cb60075162b9a02c2761ec7fa967cf8cabe2dc6b175a890078a69c79e2c41160d04a4217de0b9c657b98b0a1f65c526bab32df7083bab0dfee59c47d

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    458KB

    MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

    SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

    SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

    SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    458KB

    MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

    SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

    SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

    SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

    Download Submit

  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    458KB

    MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

    SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

    SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

    SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    458KB

    MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

    SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

    SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

    SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

    Download Submit

  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    458KB

    MD5

    ba8363ab2c535e6a3d6d5ee1822c70a6

    SHA1

    d4dfbb4e1b80d2001bb25d2bdfda4f861270c5c4

    SHA256

    43caf47dee6b47013963daec44bcdfedb9ec84095e8f4ad21b0fe98f63bff072

    SHA512

    fd1ab0c17231ed53f1df2f06d7f80789ef1467d221d0fda9b3c21a9620ac055ef7858927cca32ad4b7c097b069b1869c8f3754c2d9c71621e6f49829909bf23a

    Download Submit

  • memory/1268-56-0x0000000076531000-0x0000000076533000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1268-62-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1548-84-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1548-85-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1548-72-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1548-71-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1548-68-0x000000000043C580-mapping.dmp

    Download

  • memory/1548-67-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2020-66-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2020-59-0x0000000000000000-mapping.dmp

    Download