Overview

overview

8

Static

static

8

0e57dc6b41...69.exe

windows7-x64

8

0e57dc6b41...69.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe

  • Size

    2.3MB

  • MD5

    ff3d7e1506acf688ec60a0544b4c223d

  • SHA1

    a411fac1cb409333e459c03b86afefe0f2492568

  • SHA256

    0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69

  • SHA512

    652bf5c0b567677c4c7bc4add60da4b9f78dcbdfb0d0b1ff9a6a6ac81af4387fcc5cde759e2ff354f293ede0dd3ee801098943275d30167b67032478adf21967

  • SSDEEP

    49152:bF089ANW0kzZ2+K/2kWKXHRNwpygaV5ShPAQtoyzrVs6GFbo:bF0NwZ9KlWONwpIJOzHGFbo

Score
8/10
evasionupxvmprotect

Malware Config

Signatures

  • Blocks application from running via registry modification 6 IoCs

    Adds application to list of disallowed applications.

    evasion
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe
    "C:\Users\Admin\AppData\Local\Temp\0e57dc6b41764f42fcf04175c98f880569113ce0696daa5f2d687b094d318a69.exe"
    1⤵
    • Blocks application from running via registry modification
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://cfqingkong.tap.cn/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:340993 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:432
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://baid.us/MDsb
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8caff9763bd2a727663aee1983e9c514

    SHA1

    18bdb3c7cf07481e539bba70b9e6eec9541fd1c9

    SHA256

    817d31b247668967898c565ffc311054858813a659b0672d962379976cec2af7

    SHA512

    1b0cd60c0cebdd082a4ebb17fefaed4d791910c591cf58402ba511b5697653ac522de3d1beb6f79b6706fc511ce26d4ead913ffe438e25c031f7282bcb01e3dc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3c6aafc9bcab9467a0f5ddfaa7df4136

    SHA1

    f70f9257e800f7f71528df5e81e99d849a2a9042

    SHA256

    3c1be5ab179193085fdd1ec01f5a1d581e75dd0efba84e733d0791fecd88a715

    SHA512

    c6603a239a97f9af99a37411539ff50fd4759c38e387ec386b3f327b0119421b34d1573288be7be1b0f74996e618cda7e26c56eefe2497128b30a115673c02df

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    75e0645a9df72e7d02d51981ddc82ff9

    SHA1

    7f6dd83902bbdc8f8156459bb1a5bbe325ecf036

    SHA256

    d0002646ec00d9fbd81069c706189a5219bef9a5f273d6fa89166d233de7998d

    SHA512

    65e6d801555501d9be78e2389e995172ff3dbda988b1f7dc6bb6687c162bc7cf43975098b8405fe46f2cd03566e20f535f73de14b94daa56d73d6518b77203fb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8b2bf9fe76d56392b0c036daf92fd365

    SHA1

    c1c86dc65f73ac41b2afe4914257fdf83b131e55

    SHA256

    523e6687d8878a209ea15a61f1b2819f66d5f2f274253168b03108c8cd8f4036

    SHA512

    482a518eaeac12997d09799d711250146010312e9cf4f2a7ad6b626c576b8c19867580ee10a10a5a71e2678b2d742586673b014c13960f206fbc902382da5a7c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e35edbaf8671c66a717c675eed2627af

    SHA1

    61296d91df5d98b79d3688ed216c764679e80c56

    SHA256

    98189ede32360263fdcb179c64c0283939e1f4ccf68a480d4eb3031223d4e423

    SHA512

    605f8a12b8b407aa37f14bc84c012b6dfe5feddbb80b7f1104be1694bdc34dfbea360766582741d32a73d792d34fb557c902985c47726cda8b300763e0f483fd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b390f2b6f80f5af6e18003fadd830cdc

    SHA1

    8eeedfcca94f4c404526a84570eff3b7527333a7

    SHA256

    c509ab6a2194153b10df100487a16296226377315282a53bab1f259bad90c26c

    SHA512

    8e521387ed41f54deb00e9736db062450799ddbd386ed7cfe7a24d6352100e7452595a956621c56070a88429307fc17af621c88255e090d86e11bae3bece04ec

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2651a36901a35e2e0dae477b86c849c1

    SHA1

    f441ba2bec4d8c67c1938299d3451d9d46856426

    SHA256

    0d412c52f4945b1df55c30ba3d24a9db582803abffee9f365914b3639d5bee55

    SHA512

    129dfa648b5a5f6f5d9f57f0990fe586f59371a5ed988dede991da6de2e7dc209af54877c03614eff1cfb572d738f611a040dc077f728c5b65eb742d284d8e9f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ba5d4bcc1586da5e65f9f31c8c080584

    SHA1

    4fc10e3f51cf7664200d61671b4f65ea7d369372

    SHA256

    d4e0c0b1671595fad45f28b285598e087583f5a979a8cf0d9455267538d52847

    SHA512

    6e0c247a362bd181742a635c72ecc5f34da210b1e7e2f4102c9cf243deac21a50cd1ef96a55adf6c9ac07aa2aed1984d53e7279fc20bfe46e374a84896a2aac7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D65BDE1-6D00-11ED-B110-4EFAD8A2B6A5}.dat
    Filesize

    5KB

    MD5

    f86945a2718f13c4b57779863a17a190

    SHA1

    b4a3c3270a82794ad61c071293e322a6c8815110

    SHA256

    43fb654e9deeec8791e87feb73380e7e1069ed7ad8d0b73fdcafff1642bcdc05

    SHA512

    7f550262518d75c495a8594e89950f9ebffeee79eba20c93ba59940886d809e652c15cce766588956c76ccf684c6f8e7bfc139aaa00b09acfd57e2ce3f3c9a4f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N1P5NEOJ.txt
    Filesize

    601B

    MD5

    7ad5e442b4542339aca57db175ab9918

    SHA1

    243984ce0e4a17cb753c9ee0897e1b606ccdd7aa

    SHA256

    6377c5811c5fc04a40d496a586cc730bcbd988986e752700f0c4c83233096213

    SHA512

    785c830b1d7a377c719d15456ccf628fdf1e4e6febce1c1f804ca231955977b650dd04499698ef424f7b8ed1a69bb53fc08cf2d873d3aaa4abb40cbf4d602428

    Download Submit
  • memory/1228-87-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-99-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-75-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-79-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-77-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-83-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-81-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-85-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-54-0x0000000075C41000-0x0000000075C43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1228-91-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-89-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-93-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-95-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-97-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-101-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-73-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-105-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-107-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-103-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-71-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-69-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-67-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-66-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-64-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-65-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-60-0x0000000010000000-0x0000000010040000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1228-59-0x0000000000400000-0x0000000000986000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/1228-58-0x0000000000400000-0x0000000000986000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/1228-55-0x0000000000400000-0x0000000000986000-memory.dmp
    Filesize

    5.5MB

    Download