Overview

overview

8

Static

static

9211a42cd6...c8.exe

windows7-x64

8

9211a42cd6...c8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe

  • Size

    252KB

  • MD5

    39f80f18b02ee0cf9bba3a0d01900cd1

  • SHA1

    4f74bd8dc6a7b93acca7e8ecb773c571a0e61f6b

  • SHA256

    9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8

  • SHA512

    925123513e9c7dc723d4242f7ce8fade4db2944483467c334ba76123808d301481f2bfa2219bbbd1ca8a677908843e716352f33543675bb8d6472e5b1e9b3501

  • SSDEEP

    6144:6P6nejFShV25IXS7XAj+Lv998rirykvW9s8kedZCzNogr8Q+W:44O8hOXAo98rT2W1kedZ2p8Qr

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe
    "C:\Users\Admin\AppData\Local\Temp\9211a42cd6e5b29b072632650e6396c1caad5803db8225c1e198da5ba5e88cc8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Modifies registry class
        PID:3952
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:5108
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4348
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    93KB

    MD5

    839764dccf448b5d78fc7e4864b9787c

    SHA1

    9b8cd9cbfd8207a301e117a3026513bd062a8700

    SHA256

    925f797a33b752114d7e6713382c3e4c615e6b0a7f143e6ad7a8fe3193c5b7d3

    SHA512

    a3d0cffe34c634b7531fa736ef1c38e9df6e87bcf51dc84a6ab55db33c7f5541c6b63eaebb0ead38d9e1e63d6ca1e4c3b25b02d4407946b9be5e23c7b2171278

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    93KB

    MD5

    839764dccf448b5d78fc7e4864b9787c

    SHA1

    9b8cd9cbfd8207a301e117a3026513bd062a8700

    SHA256

    925f797a33b752114d7e6713382c3e4c615e6b0a7f143e6ad7a8fe3193c5b7d3

    SHA512

    a3d0cffe34c634b7531fa736ef1c38e9df6e87bcf51dc84a6ab55db33c7f5541c6b63eaebb0ead38d9e1e63d6ca1e4c3b25b02d4407946b9be5e23c7b2171278

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    93KB

    MD5

    839764dccf448b5d78fc7e4864b9787c

    SHA1

    9b8cd9cbfd8207a301e117a3026513bd062a8700

    SHA256

    925f797a33b752114d7e6713382c3e4c615e6b0a7f143e6ad7a8fe3193c5b7d3

    SHA512

    a3d0cffe34c634b7531fa736ef1c38e9df6e87bcf51dc84a6ab55db33c7f5541c6b63eaebb0ead38d9e1e63d6ca1e4c3b25b02d4407946b9be5e23c7b2171278

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    93KB

    MD5

    839764dccf448b5d78fc7e4864b9787c

    SHA1

    9b8cd9cbfd8207a301e117a3026513bd062a8700

    SHA256

    925f797a33b752114d7e6713382c3e4c615e6b0a7f143e6ad7a8fe3193c5b7d3

    SHA512

    a3d0cffe34c634b7531fa736ef1c38e9df6e87bcf51dc84a6ab55db33c7f5541c6b63eaebb0ead38d9e1e63d6ca1e4c3b25b02d4407946b9be5e23c7b2171278

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
    Filesize

    89B

    MD5

    2484161390f1a45f8d92de66d64e8c40

    SHA1

    1fb7d0dcc990ab9ac012bb9c1aa8b9516209066d

    SHA256

    6768041a60075bbbeef62c45e6e40e898dfa12ff7f72a8fe371982bc819b3473

    SHA512

    c4b8748fa0b61526825ce9cbfb2f8c036fc4482d3ff61c4ad779a1796457fdb1cea387a9ea5e98bd6f988d2846fc05368d9d80d0d84c38851ba420d5f2907272

    Download Submit

  • memory/3836-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3836-137-0x0000000002240000-0x00000000022AD000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3952-135-0x0000000000000000-mapping.dmp

    Download

  • memory/5108-140-0x00007FF87FA20000-0x00007FF87FA8D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/5108-141-0x00007FF87FA20000-0x00007FF87FA8D000-memory.dmp

    Filesize

    436KB

    Download