Overview

overview

8

Static

static

5cbc55701a...ad.exe

windows7-x64

8

5cbc55701a...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    262s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cbc55701a7f6973ea3985d469c2d2d9de8f5642de947c2a1e5813b4fd0363ad.exe

  • Size

    3.8MB

  • MD5

    ee887f2b5372f8b906ddd78c4555ab28

  • SHA1

    714774a575d8594f29e86ac061bded3628aaceb5

  • SHA256

    5cbc55701a7f6973ea3985d469c2d2d9de8f5642de947c2a1e5813b4fd0363ad

  • SHA512

    8e1373a49becaf1def732ff4febc003c32d2169e5432eeda7d7599b618a26d79f35b7215162501aab42983bd2e66cff1f28fe3be899243434dbd18da2670c6d4

  • SSDEEP

    49152:Ye5KVFpiXThKVUKO8SsZ8wVFu+4p1ewogVdtXZ+iL35r8H:qFp8hSUKO8/Tu+SdJZjZ8H

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cbc55701a7f6973ea3985d469c2d2d9de8f5642de947c2a1e5813b4fd0363ad.exe
    "C:\Users\Admin\AppData\Local\Temp\5cbc55701a7f6973ea3985d469c2d2d9de8f5642de947c2a1e5813b4fd0363ad.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1336
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x578
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\AngryMailer_1.0.2.1\SkinH.dll
    Filesize

    95KB

    MD5

    8c00426ffcb551ba07904d9a67843bb4

    SHA1

    0c1daffaf62497cfa121320b386024a1c18b9be9

    SHA256

    2c1186029848788fe6fb2ab7cc2a1b9263a872e477344a3483e13ab89604e16c

    SHA512

    c235ef09f2b96142e062b87df76906c224e7256baabdc0c68d89b52b8603e0d16e6c6c5f98f3fb1fadef5fa117d516ee5ca4e7ecb2a47ecf752db56bd28f732a

    Download Submit
  • memory/1336-54-0x0000000076651000-0x0000000076653000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1336-56-0x0000000010000000-0x0000000010054000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1336-57-0x0000000010000000-0x0000000010054000-memory.dmp
    Filesize

    336KB

    Download