Overview

overview

8

Static

static

25abeef875...ad.exe

windows7-x64

8

25abeef875...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe

  • Size

    6.2MB

  • MD5

    f65a72d90a92954a5268384e21f8480d

  • SHA1

    2afeed5ab78b05c44b1a683b4e2b6baab2b44a3b

  • SHA256

    25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad

  • SHA512

    13f852af9d637fc0fb770a6e796da753e9e383ea83df6faf757a6727ba3e3d0b7434603f18ec8d88d9796d8118524b16f467829ee1f6b46d9c357a355bdc79ad

  • SSDEEP

    98304:ylrZ4WJx/oW4JZJzMHgDTceWglJ/HDlRdsrK4PI9+C8qlXwX6Msa8QLBe23yB5L:m5Jx34TJwHgDA4J/BRtC7jqBYHLiV

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe
    "C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe"
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\Net.exe
      Net Stop PcaSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 Stop PcaSvc
        3⤵
          PID:1692
      • C:\Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
        C:\Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1964
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1172

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      3dcf580a93972319e82cafbc047d34d5

      SHA1

      8528d2a1363e5de77dc3b1142850e51ead0f4b6b

      SHA256

      40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

      SHA512

      98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0c3786686bdb0df408f0ea05e4764c7c

      SHA1

      6ffff56b338886123a501f96dfde4c23fa000c68

      SHA256

      b0160f4b5a7149e6b9e50ef063f3d9b29e716bcee3447af56c7456bf84aa4e1c

      SHA512

      7cade352e09d7dae15c40863d8d70d7eb6e077aa603d4467e627d81922b377a52ca577b9a160cf2dff1ec29a241c1c044af0628c1d6c977376393aba4509b3a7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WTZS0C6W.txt
      Filesize

      608B

      MD5

      fb7512bf337ba3c64009a6142c58f5d6

      SHA1

      4390251d4e98a2d296c297855abbcce7a8c4933a

      SHA256

      e84498d9930ab01a96c23358eb96f6ba2c004785b03a3822c04a319296d94017

      SHA512

      bffc85f853bb87ccf29e9c9c760e699ad0c5c386cdc2d928b33959f22d27f32e1a775e431c342f70c99bd2d215820873e85d2be884c22392cdef3fc0fa87c03f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\g8780\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • memory/1148-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1692-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-60-0x0000000000000000-mapping.dmp
      Download