Overview

overview

8

Static

static

25abeef875...ad.exe

windows7-x64

8

25abeef875...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe

  • Size

    6.2MB

  • MD5

    f65a72d90a92954a5268384e21f8480d

  • SHA1

    2afeed5ab78b05c44b1a683b4e2b6baab2b44a3b

  • SHA256

    25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad

  • SHA512

    13f852af9d637fc0fb770a6e796da753e9e383ea83df6faf757a6727ba3e3d0b7434603f18ec8d88d9796d8118524b16f467829ee1f6b46d9c357a355bdc79ad

  • SSDEEP

    98304:ylrZ4WJx/oW4JZJzMHgDTceWglJ/HDlRdsrK4PI9+C8qlXwX6Msa8QLBe23yB5L:m5Jx34TJwHgDA4J/BRtC7jqBYHLiV

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe
    "C:\Users\Admin\AppData\Local\Temp\25abeef875ec6079414b6804248a97c6101eefc689984289b79172cfea5340ad.exe"
    1⤵
    • Sets service image path in registry
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of SetWindowsHookEx
      PID:2700
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
    1⤵
      PID:720
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\g8F32\Yamicsoft.Vista.Manager.v3.0.0.Incl.Keymaker-CORE.exe
      Filesize

      4.3MB

      MD5

      33007da7cd61792e63acba2a48d373cd

      SHA1

      e33f07778555ddff8138fccaa80629eda9adbd55

      SHA256

      9d07531ac0deb500f122d145f15851dfe7a06007fd5bdb2a22476e6e1c3cd573

      SHA512

      01bb378c7c341797728f50619094f3c059d2a34286815436fbab226b739b24c16208800fb2b51278e6a1857484a95b9d59fa045608be143429d4d556343b6e0f

      Download Submit
    • memory/2700-132-0x0000000000000000-mapping.dmp
      Download