Overview

overview

9

Static

static

8

f79c5e6e8d...03.exe

windows7-x64

9

f79c5e6e8d...03.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    107s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79c5e6e8de93b81b4f3e4d3cebedf485172788473fe6f234ba1f2c09d047503.exe

  • Size

    488KB

  • MD5

    e560a700cdd0ab415f5448f06ea57003

  • SHA1

    869b4850cb7f92c03137adf0d51515be361d1d86

  • SHA256

    f79c5e6e8de93b81b4f3e4d3cebedf485172788473fe6f234ba1f2c09d047503

  • SHA512

    4dc45de0dc912e5e0fea0227cc822fa552f879b49568d68f79180ba1f699264283d7652d28cab244e1f6250e5d0487e2fc457408a5803e8a52268d126035d157

  • SSDEEP

    12288:+degBs2sFlVrHfSrqPjgPwrjlPBPfLm9lS8bLoSj:ens/FlDEPoFZfLm3Hb

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f79c5e6e8de93b81b4f3e4d3cebedf485172788473fe6f234ba1f2c09d047503.exe
    "C:\Users\Admin\AppData\Local\Temp\f79c5e6e8de93b81b4f3e4d3cebedf485172788473fe6f234ba1f2c09d047503.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.helpxy.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5567454ee45db0d7ed4c8308fc484ae2

    SHA1

    171ce05cfd71791da27e8bd2161c2b87e95a13c5

    SHA256

    eab8fb766dc0a4da698a01688cec053cc129c80dfa6d0fcf52b53993edfc5f38

    SHA512

    4f3c9355edecb988ec6d4b272c4421aad7b59f81067d951dda2e9d30d91c560416f3eb35e491599fc21d5e7193199dd2b661e3a43b91c6be8c015113853a3f4e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KUTDV1GB.txt
    Filesize

    608B

    MD5

    c363c2276216e248da5458e41b26444a

    SHA1

    ab63a1f79fa1cead6de83bb47854cd9ef34a150d

    SHA256

    45da5fa9fb8296e3005be3b597c5ad490d85bb76316846b5c4d8461526fdaf93

    SHA512

    392dc88686de9e4f31fdcd5a39065a6eaba12ab1f3e2e21552fe830a9f0585447dfa2d486b99a29ee9c04e723b531c578b64845b64a67cdd1f694b2c009dfed9

    Download Submit

  • \Windows\SysWOW64\jedata.dll
    Filesize

    86KB

    MD5

    114054313070472cd1a6d7d28f7c5002

    SHA1

    9a044986e6101df1a126035da7326a50c3fe9a23

    SHA256

    e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

    SHA512

    a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

    Download Submit

  • memory/1776-54-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1776-55-0x0000000075521000-0x0000000075523000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1776-57-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1776-58-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download