Analysis

  • max time kernel
    138s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 12:39

General

  • Target

    8676dea78ac84ac9268d12a023a7b09a79b56dffc661a0002b9e08f7418f9e89.exe

  • Size

    1.2MB

  • MD5

    fba9a81512ad0deb9dfa5c5b3c7c7cf2

  • SHA1

    9d7fc9d653106f0567a2df5c0a15e31b10b4bf74

  • SHA256

    8676dea78ac84ac9268d12a023a7b09a79b56dffc661a0002b9e08f7418f9e89

  • SHA512

    dcf3c26ede0ba2a209e6c68beba433f76caee5c50c716aa08c15931e72908295b9fa6d637c7a55a695b7e7e1f89ceca035514e379263df47a3c07cb0f0822a36

  • SSDEEP

    24576:GRjn23Psy6/nKJmgKtR1HpvmucMNLygGDm5dk2ZlZ:GREPs7nUmnJ4aLTkmZ

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8676dea78ac84ac9268d12a023a7b09a79b56dffc661a0002b9e08f7418f9e89.exe
    "C:\Users\Admin\AppData\Local\Temp\8676dea78ac84ac9268d12a023a7b09a79b56dffc661a0002b9e08f7418f9e89.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://qqtz.com/read-htm-tid-4245053.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2012
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x504
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4c9bf16c1b58179eee1e02958d68d083

    SHA1

    66927a218bbb9f5c9f33c69099f281839138f285

    SHA256

    9d1a456f0518bd8277acf8c312422900b1fa38092523158cb48333693b1ad83e

    SHA512

    c68ed3349e4f1d116a68b058cfd7052bd981efc0834803e90b5151a82b1926c3f06076a7c7f62b9cb10ce23141193a8a2ed405e2ea91ee91650b72539862409f

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

    Filesize

    2KB

    MD5

    d2a1a5a05af76e8c6c60dd5d3e9cba52

    SHA1

    8396110222819236572927b30756d14f0d504b96

    SHA256

    980685cb5c6085e6f22aa8f6e1f2023725957d8e5e1cb6e1f080e9fa79b47ecf

    SHA512

    b003690df8a22867ca889ae2ffb0847164c7484870ee655f16f373fb05a0c0c42c19f5dd83c2b8d8db61e4a4bd8ad4bbfe6389c9ea9437bb6938a416491140b9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JL099PPH.txt

    Filesize

    608B

    MD5

    4ee588b861a2397db2fd0bf4f5ec6c90

    SHA1

    22958aa310fe50751981933c18b97c06d68089f4

    SHA256

    ee1281888178608a2a55aff4fe85939d24f3714eaf141940e67e117427e2c159

    SHA512

    52da015c823e16c07d37104f4287f4a47646af8b53c48e6dfa776b035deb9e43f7058a523005e6b5d2914c756743e9c1f3560a6ce4c2ec07c6006358ed39ca53

  • \Users\Admin\AppData\Local\Temp\SkinH_EL.dll

    Filesize

    86KB

    MD5

    147127382e001f495d1842ee7a9e7912

    SHA1

    92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

    SHA256

    edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

    SHA512

    97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

  • memory/1792-54-0x0000000076381000-0x0000000076383000-memory.dmp

    Filesize

    8KB

  • memory/1792-55-0x0000000000400000-0x00000000006B7000-memory.dmp

    Filesize

    2.7MB

  • memory/1792-58-0x0000000000400000-0x00000000006B7000-memory.dmp

    Filesize

    2.7MB

  • memory/1792-60-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/1792-61-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB