Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
25-11-2022 22:36
General
-
Target
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe
-
Size
817KB
-
MD5
2081d437e182ae1206c8536144650aed
-
SHA1
290f54279ccef388db484a3111f4100decdd66a0
-
SHA256
1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49
-
SHA512
c4edce1b095f28fb879c6b673e65a832f6b177d6365ed6675e0f6bc928aceb8091ed3e1c39b6694efd49c25ffcce3c1849f56f5b480f7f93c045e0d44fdc523e
-
SSDEEP
24576:iFszWS5ZkKpLURv9Ss8yuUBYxbTGFL0RHSiCh7AmxH2:iVKZ0v9mcp6g2
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 5 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe"C:\Users\Admin\AppData\Local\Temp\1c50e360f80a83b9e31ffb0594094f9da55c37b0f49eefdd5ea2a978360fde49.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CDClient.exe"C:\Users\Admin\AppData\Local\Temp\CDClient.exe"2⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\SysWOW64\100512.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\SysWOW64\100524.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B4⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEhttp://www.so.com3⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.so.com4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.datFilesize
1KB
MD5125fa4fbe6c35b2ed5fe5919be9c4539
SHA1b966a8058fe6a56183f2896b42362bbd0aa9eb2c
SHA256dafbeaf847d83bec030ef1705fbe06f090f0a1cc9a339df7e41b93b3f3257c0f
SHA51288a225941bcfceaed01baed55927670c1df4789e888954a9f3536cf6b06a67a2c4b7ceb66149c52e885c01b6a214bd6fcbaf83109c3c5c7e40a21e6ec4b1f492
-
C:\Users\Admin\AppData\Local\Temp\CDClient.exeFilesize
726KB
MD57fc1aea7e0dfbcc01a66d71d40361526
SHA159e013d6e8057040617863fa8e608c06aa2a89db
SHA256de887f3306edd61d58683e294b807812080099d8c6d16fc63fcae06f13f5403f
SHA512d02821910683489d65ab9f267cb7a9d8dada96b930d40f1e5072681c2b3b7db56f539d0376027d073a8712f36d9e15a55cf7518bba3f10df171dfb559d42afa6
-
C:\Users\Admin\AppData\Local\Temp\CDClient.exeFilesize
726KB
MD57fc1aea7e0dfbcc01a66d71d40361526
SHA159e013d6e8057040617863fa8e608c06aa2a89db
SHA256de887f3306edd61d58683e294b807812080099d8c6d16fc63fcae06f13f5403f
SHA512d02821910683489d65ab9f267cb7a9d8dada96b930d40f1e5072681c2b3b7db56f539d0376027d073a8712f36d9e15a55cf7518bba3f10df171dfb559d42afa6
-
C:\Windows\SysWOW64\100512.batFilesize
5KB
MD5ad0d80bf6b4292dbada25f7f8fd6556c
SHA140133d1dea9905bf406fb88efcb57cd693e6cf43
SHA256081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1
SHA51276eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb
-
C:\Windows\SysWOW64\100524.batFilesize
5KB
MD5ad0d80bf6b4292dbada25f7f8fd6556c
SHA140133d1dea9905bf406fb88efcb57cd693e6cf43
SHA256081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1
SHA51276eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb
-
\Users\Admin\AppData\Local\Temp\C67B42\xvprtHm.dllFilesize
594KB
MD54b236ba3d674066e792a9d51700a3ce9
SHA1079cded909cfe7d7c73a39d22e514f8af060a1ed
SHA256eae10dd2beca649bbfd1c8f41028fb24eaa2e7406ba4aca9e93c7e7791bd31de
SHA5120c7685b1063d0556bb1b6a29d9ce1b2d92fdce50c1b690d48e9528791a1bc3e83c79258e12a1c1a5412bd21dd2bb0fc9de991ae2de831bdde08bf3c1f5d29a8c
-
\Users\Admin\AppData\Local\Temp\C67B42\yImxlus.dllFilesize
545KB
MD5cb2bef431de55af9a7a89e34685f11d2
SHA17dd2bad9c51428b078f2652020de7b16bd8863eb
SHA256961cdf8d6e7a4328637ff7626aec0961bb383d4aa0af28517661ac54a4db85fa
SHA512178ea54e4cd120a95900eacf56b0da294690d635f0c063d2565d81fdfac1040b1b44d1c66df39e45d57678e9a979b2e59f62c76f0be31c30e06d11e102c82b4c
-
\Users\Admin\AppData\Local\Temp\CDClient.exeFilesize
726KB
MD57fc1aea7e0dfbcc01a66d71d40361526
SHA159e013d6e8057040617863fa8e608c06aa2a89db
SHA256de887f3306edd61d58683e294b807812080099d8c6d16fc63fcae06f13f5403f
SHA512d02821910683489d65ab9f267cb7a9d8dada96b930d40f1e5072681c2b3b7db56f539d0376027d073a8712f36d9e15a55cf7518bba3f10df171dfb559d42afa6
-
\Windows\SysWOW64\JECsCq.dllFilesize
63KB
MD5fd8d4e1d20d085593e26e4fb879aac1f
SHA1dd233f681bd4807851963736fe4554e152d06793
SHA25639c865da0e189d296eae8838d9240aefadfd63507b070fa0e6803910a51202f3
SHA512dee6185217cf4b9bfc1fb526ec365de67294f8ddeea95eaa5f72628731b52136cc2fa703a84cf35a22a32b870bbeb1f068192336474880c03c879380e7eac317
-
memory/432-66-0x0000000000000000-mapping.dmp
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/896-77-0x0000000074090000-0x00000000740B3000-memory.dmpFilesize
140KB
-
memory/968-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1016-71-0x0000000000000000-mapping.dmp
-
memory/1548-61-0x0000000000000000-mapping.dmp
-
memory/1744-73-0x0000000000000000-mapping.dmp
-
memory/1952-68-0x0000000000000000-mapping.dmp
-
memory/1992-64-0x0000000000000000-mapping.dmp