Overview

overview

8

Static

static

208a692e92...33.exe

windows7-x64

3

208a692e92...33.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    155s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe

  • Size

    49KB

  • MD5

    042684e97b7cf5b84a3e78daa52aaa50

  • SHA1

    e847185be92aa176536b0d6f807c8467bbcce2ab

  • SHA256

    208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733

  • SHA512

    432dd6ae26fa249e7442409f9376e8bb3fcec98e3830212f89387101bcd882d154ef767c570ccc78c523aeaa9d41ee2e186ce7feb8599aa4cffe25c2dbde2669

  • SSDEEP

    768:QQPhPRtXHnscj7H5ThHv62cCjvHubO3JS2vPxWf8CPVrlO/To:Q4PRtdj7H59S2nvqKJ3u8+rlO8

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe
    "C:\Users\Admin\AppData\Local\Temp\208a692e9244d8f541651eb4b1e01b30cbbaec3c604dc66e527c4c5055d50733.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    870b615bd1f6e73bcd807d31b8678934

    SHA1

    6623daf15f495a66f0738c3c03bdbfd4bc7342d0

    SHA256

    186f4707b61526047271661adc8ffa8357d7a6ac36776d2c3bd1afad6a511fac

    SHA512

    774482b01beea35b1556a531dff40bbde7869225d9dbbde126b825b3bbc342e8529bcbb8f8c367251994ee6b28c41d33b2344bb6d03e82eae04bdee056b23c34

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    2e10fcc134f27d420ab008d510029099

    SHA1

    c3f1605296ddb4ac7668dd823ffd757736b3ff1f

    SHA256

    68d3e476ef187a66477b0c54524cae5dfabc6720bf9afe157d89452298b880d2

    SHA512

    a94ebfeafe9adf265c6cf917278cd09d8457f213af8396a16be8f6671bd943b1b2e312698004b43ef1eef895eee4d50f320cd405323bea36b0dade5e336e8926

    Download Submit
  • C:\Windows\SysWOW64\0042.DLL
    Filesize

    24KB

    MD5

    b00ce95da335507f5c332dccb84729a3

    SHA1

    dd384ae363f7ceab808245fb9ea36e9b8789c73f

    SHA256

    50182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f

    SHA512

    bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2

    Download Submit
  • C:\Windows\SysWOW64\0042.DLL
    Filesize

    24KB

    MD5

    b00ce95da335507f5c332dccb84729a3

    SHA1

    dd384ae363f7ceab808245fb9ea36e9b8789c73f

    SHA256

    50182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f

    SHA512

    bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2

    Download Submit
  • C:\Windows\SysWOW64\0042.DLL
    Filesize

    24KB

    MD5

    b00ce95da335507f5c332dccb84729a3

    SHA1

    dd384ae363f7ceab808245fb9ea36e9b8789c73f

    SHA256

    50182d62385b16dde06a52e3644e3ac2542216ca0a194fd9c9d405622af3a57f

    SHA512

    bd9fcb3a72de4d45d2e2d0c73afd34256d7ad76c721a6b6e98f6bc479d89731a354961886982097c6e2b4886bb140c15656d3de862d1066df5b35c48654b4fe2

    Download Submit
  • C:\Windows\SysWOW64\work.dat
    Filesize

    5KB

    MD5

    9f27058d4be3b8cb0d757501b9611d6d

    SHA1

    740a636abb0f8e058408091ea71452298853eca3

    SHA256

    17ebc6a1f0a0729184654f2e434a708a66c17984b15a557bd5af952870c74015

    SHA512

    81071a9db08abb353b4ff33b0ea42655af20610a5438557d50952c3b115a2b114e9956482b407c1efd0126935b8c08ac82d0b6ff265d1a5a1b9aad89c478584a

    Download Submit