2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627

Analysis

max time kernel
139s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
Size

902KB
MD5

7201682614e96eeed10b75af102ca4aa
SHA1

52781036d635f0a0e977f1737242725cf0964fa1
SHA256

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627
SHA512

d6657af20254844e9d8a0dea129cf45a1f7813bd637900eccfdb0ad20ce92dc5d673586563620658c858c85c2b96df8023c0a2b5212e6c1a3a3c814096a6093f
SSDEEP

24576:ahwqArbintq30p9TQxpTWYINxtAX3l+ah9:pdnintyOkvUx+l+ah

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
manroyal

Signatures

Executes dropped EXE 4 IoCs

Processes:

C++.exesvchost.exeserver.exeiexplorer.exe

pid process

648 C++.exe
2028 svchost.exe
1968 server.exe
1132 iexplorer.exe

pid	process
648	C++.exe
2028	svchost.exe
1968	server.exe
1132	iexplorer.exe

Loads dropped DLL 6 IoCs

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exeC++.exeserver.exe

pid	process
1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
648	C++.exe
1968	server.exe
1968	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\iexplorer.exe"	iexplorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe

description	pid	process	target process
PID 1104 set thread context of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

C++.exeserver.exeiexplorer.exe

description	pid	process
Token: 33	648	C++.exe
Token: SeIncBasePriorityPrivilege	648	C++.exe
Token: 33	648	C++.exe
Token: SeIncBasePriorityPrivilege	648	C++.exe
Token: 33	648	C++.exe
Token: SeIncBasePriorityPrivilege	648	C++.exe
Token: 33	648	C++.exe
Token: SeIncBasePriorityPrivilege	648	C++.exe
Token: 33	1968	server.exe
Token: SeIncBasePriorityPrivilege	1968	server.exe
Token: 33	1968	server.exe
Token: SeIncBasePriorityPrivilege	1968	server.exe
Token: 33	1968	server.exe
Token: SeIncBasePriorityPrivilege	1968	server.exe
Token: 33	1968	server.exe
Token: SeIncBasePriorityPrivilege	1968	server.exe
Token: SeDebugPrivilege	1132	iexplorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplorer.exe

pid process

1132 iexplorer.exe

pid	process
1132	iexplorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exeC++.exeserver.exe

description	pid	process	target process
PID 1104 wrote to memory of 648	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 1104 wrote to memory of 648	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 1104 wrote to memory of 648	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 1104 wrote to memory of 648	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 1104 wrote to memory of 2028	1104	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 648 wrote to memory of 1968	648	C++.exe	server.exe
PID 648 wrote to memory of 1968	648	C++.exe	server.exe
PID 648 wrote to memory of 1968	648	C++.exe	server.exe
PID 648 wrote to memory of 1968	648	C++.exe	server.exe
PID 1968 wrote to memory of 1132	1968	server.exe	iexplorer.exe
PID 1968 wrote to memory of 1132	1968	server.exe	iexplorer.exe
PID 1968 wrote to memory of 1132	1968	server.exe	iexplorer.exe
PID 1968 wrote to memory of 1132	1968	server.exe	iexplorer.exe

C:\Users\Admin\AppData\Local\Temp\2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
"C:\Users\Admin\AppData\Local\Temp\2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\C++.exe
"C:\Users\Admin\AppData\Local\Temp\C++.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Native\STUBEXE\@APPDATA@\iexplorer.exe
"C:\Users\Admin\AppData\Roaming\iexplorer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Native\STUBEXE\@APPDATA@\iexplorer.exe
Filesize
17KB

MD5
2b5cf707e94c69fa76ddc6f3613b1482

SHA1
05f5cae23e7074cfbad6145d1d74d14508eab704

SHA256
5ce38492be11bd2851b3553b25614c1b09c248c66c770a3af676bb86c402c2ab

SHA512
82e0714a31876993dfac5900cc01b0132a2ad47a3472069659dc60c0cc3805cb74fd714c91ea353956c56fe8c1a12092f24b2c06596244d7d365d9ca3cdfc844

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe
Filesize
17KB

MD5
2b5cf707e94c69fa76ddc6f3613b1482

SHA1
05f5cae23e7074cfbad6145d1d74d14508eab704

SHA256
5ce38492be11bd2851b3553b25614c1b09c248c66c770a3af676bb86c402c2ab

SHA512
82e0714a31876993dfac5900cc01b0132a2ad47a3472069659dc60c0cc3805cb74fd714c91ea353956c56fe8c1a12092f24b2c06596244d7d365d9ca3cdfc844

Download Submit
C:\Users\Admin\AppData\Roaming\iexplorer.exe
Filesize
46KB

MD5
a4d139b161a733152e3db034e4fd4afd

SHA1
469b7498d2b9f81458ea41e632910d7e47e97b10

SHA256
1350b29bccebf5213a03e3eee72c93d17e245ce0e639d373d9f08581b15018ec

SHA512
b7706a26611f17454cc2b21234e40d559a783adcc9d0d798f74fa27378ac0f9c17ed1c212776962abbed1b144ac1657c9595597823d011f20c7384e167f0ea8b

Download Submit
\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Native\STUBEXE\@APPDATA@\iexplorer.exe
Filesize
17KB

MD5
2b5cf707e94c69fa76ddc6f3613b1482

SHA1
05f5cae23e7074cfbad6145d1d74d14508eab704

SHA256
5ce38492be11bd2851b3553b25614c1b09c248c66c770a3af676bb86c402c2ab

SHA512
82e0714a31876993dfac5900cc01b0132a2ad47a3472069659dc60c0cc3805cb74fd714c91ea353956c56fe8c1a12092f24b2c06596244d7d365d9ca3cdfc844

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\netframe\1.2.1.2\2012.02.18T03.08\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server.exe
Filesize
17KB

MD5
2b5cf707e94c69fa76ddc6f3613b1482

SHA1
05f5cae23e7074cfbad6145d1d74d14508eab704

SHA256
5ce38492be11bd2851b3553b25614c1b09c248c66c770a3af676bb86c402c2ab

SHA512
82e0714a31876993dfac5900cc01b0132a2ad47a3472069659dc60c0cc3805cb74fd714c91ea353956c56fe8c1a12092f24b2c06596244d7d365d9ca3cdfc844

Download Submit
\Users\Admin\AppData\Roaming\iexplorer.exe
Filesize
46KB

MD5
a4d139b161a733152e3db034e4fd4afd

SHA1
469b7498d2b9f81458ea41e632910d7e47e97b10

SHA256
1350b29bccebf5213a03e3eee72c93d17e245ce0e639d373d9f08581b15018ec

SHA512
b7706a26611f17454cc2b21234e40d559a783adcc9d0d798f74fa27378ac0f9c17ed1c212776962abbed1b144ac1657c9595597823d011f20c7384e167f0ea8b

Download Submit
memory/648-112-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-62-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-76-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-78-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-80-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-82-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-84-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-86-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-88-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-90-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-92-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-94-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-96-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-98-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-100-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-102-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-104-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-106-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-108-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-110-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-72-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-114-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-116-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-118-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-120-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-70-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-122-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-58-0x0000000000000000-mapping.dmp

Download
memory/648-715-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-61-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-74-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-257-0x000000000054B000-0x000000000054D000-memory.dmp

Filesize
8KB

Download
memory/648-68-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-64-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/648-66-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/1104-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-234-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1132-1011-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-1010-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1132-1009-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-1007-0x000000000026B000-0x000000000026D000-memory.dmp

Filesize
8KB

Download
memory/1132-1008-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1132-695-0x0000000000000000-mapping.dmp

Download
memory/1132-735-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1968-382-0x0000000000000000-mapping.dmp

Download
memory/1968-699-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-697-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1968-689-0x0000000000350000-0x00000000003BC000-memory.dmp

Filesize
432KB

Download
memory/1968-692-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-691-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1968-690-0x000000000039B000-0x000000000039D000-memory.dmp

Filesize
8KB

Download
memory/2028-197-0x000000000100645C-mapping.dmp

Download