Overview

overview

8

Static

static

6489e1f7e5...a5.exe

windows7-x64

8

6489e1f7e5...a5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe

  • Size

    223KB

  • MD5

    325ef393cb894ec32c3e0496adb954f4

  • SHA1

    3942bc68d6a5f292f396c79fef1aaf46a2413b45

  • SHA256

    6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5

  • SHA512

    f6f265673db1a31ef58bcec87d51b1ad7788e474ecd35fa8b95b7a3888a44911636ddaefe4461b5a6c916819f2300726367e6de4c2ddea55e33be69da1eab226

  • SSDEEP

    3072:HbHZEXb+0peSIfzxvOkO+7uE8/SkPPADH4cl5KwoY1uFFpzZL1lY4/D3jsl1vjL6:7HZL/SIf7qJ/uHNW5K2DTslxjm

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
    "C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:276
      • C:\Users\Admin\AppData\Local\Temp\word.exe
        word.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Users\Admin\AppData\Local\Temp\word.exe
          "C:\Users\Admin\AppData\Local\Temp\word.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\syswow64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            5⤵
            • Adds policy Run key to start application
            • Drops file in Program Files directory
            PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7th.xlsx
    Filesize

    11KB

    MD5

    0d9e8698246eb3c0b7fba1678dabde11

    SHA1

    38629cac35d812cdcf14071dd84d2fa03922cdce

    SHA256

    13ee82153ffae33b033456400ae12695e6eecc19522772a698ff2bc4643a5883

    SHA512

    6e08b017e3f25969ca9a0d60353a208cca2e6d59035995d8e59522e46a9b701af7efd083d466642ca2192ddc77c9ee002cfb2435cbb086c4a0a06ca150d747bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\setup.bat
    Filesize

    47B

    MD5

    2f6486d6900e095ecc69781650a235e6

    SHA1

    3ae9f70dea5b98df6d88e75f740a8d03fd94bae8

    SHA256

    cd3db5a55f22e093944f263a9f3c69e9ab916284b5cc6a056e7cd4d49b1b6cf6

    SHA512

    0778e37942fd9be2df528b158fea225d7c58ee324703d0ec57602f5c83162c674134136d5f30bc14b215eef2a84ad056d0e216dbc99dd65f8bf279de1df2037b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\word.exe
    Filesize

    93KB

    MD5

    a138a8eabea1c2f19d75b9160294b42a

    SHA1

    beac1990d1f3c456d61a970b6a1552d980197618

    SHA256

    e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

    SHA512

    2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\word.exe
    Filesize

    93KB

    MD5

    a138a8eabea1c2f19d75b9160294b42a

    SHA1

    beac1990d1f3c456d61a970b6a1552d980197618

    SHA256

    e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

    SHA512

    2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\word.exe
    Filesize

    93KB

    MD5

    a138a8eabea1c2f19d75b9160294b42a

    SHA1

    beac1990d1f3c456d61a970b6a1552d980197618

    SHA256

    e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

    SHA512

    2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsjFEB.tmp\eVfrvsgtRS.dll
    Filesize

    100KB

    MD5

    06029cbcd32b74b637b1d40397a07e87

    SHA1

    6000cfb488739eb08bc349299c4dca62de979ad0

    SHA256

    d23e418da8580e89dba1f0d97b1fafbf577c45b6e4770c3db01ebe23f7217e69

    SHA512

    16540d2a8750108be78e082fcb3e5655e835c368a33626268134c552b17c0029529db476598913a7cd57974b7bb3501b0e7bad6a85a87fe9fe950f2d367ebdcc

    Download Submit
  • \Users\Admin\AppData\Local\Temp\word.exe
    Filesize

    93KB

    MD5

    a138a8eabea1c2f19d75b9160294b42a

    SHA1

    beac1990d1f3c456d61a970b6a1552d980197618

    SHA256

    e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

    SHA512

    2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\word.exe
    Filesize

    93KB

    MD5

    a138a8eabea1c2f19d75b9160294b42a

    SHA1

    beac1990d1f3c456d61a970b6a1552d980197618

    SHA256

    e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

    SHA512

    2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

    Download Submit
  • memory/276-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/276-65-0x0000000071F1D000-0x0000000071F28000-memory.dmp
    Filesize

    44KB

    Download
  • memory/276-63-0x0000000071F1D000-0x0000000071F28000-memory.dmp
    Filesize

    44KB

    Download
  • memory/276-61-0x0000000070F31000-0x0000000070F33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/276-59-0x000000002F6F1000-0x000000002F6F4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/276-58-0x0000000000000000-mapping.dmp
    Download
  • memory/564-68-0x0000000000000000-mapping.dmp
    Download
  • memory/564-72-0x0000000000430000-0x0000000000453000-memory.dmp
    Filesize

    140KB

    Download
  • memory/772-74-0x0000000000400000-0x0000000000405000-memory.dmp
    Filesize

    20KB

    Download
  • memory/772-75-0x0000000000400000-0x0000000000405000-memory.dmp
    Filesize

    20KB

    Download
  • memory/772-77-0x0000000000400000-0x0000000000405000-memory.dmp
    Filesize

    20KB

    Download
  • memory/772-78-0x000000000040141C-mapping.dmp
    Download
  • memory/840-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2008-81-0x0000000000000000-mapping.dmp
    Download
  • memory/2008-83-0x00000000007A0000-0x00000000007A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2008-84-0x0000000000130000-0x0000000000135000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2008-85-0x0000000000130000-0x0000000000135000-memory.dmp
    Filesize

    20KB

    Download