Overview

overview

10

Static

static

5f50b35b51...5e.exe

windows7-x64

10

5f50b35b51...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe

  • Size

    296KB

  • MD5

    4de73593b1c39d2e91c024863935b453

  • SHA1

    177a756554cf61a7c984c9b34797b1a7706c99c2

  • SHA256

    5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

  • SHA512

    5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

  • SSDEEP

    1536:7I17SYMoQEeZ3tmnunbHq7eOHc3Hbuk93VMjBmGQSbcW+gZ372Fc0h:i4otehtmnuLqdHguq3pGz4W+g

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe
    "C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe
      "C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1756
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1976
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    2
    T1031

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    13
    T1112

    Hidden Files and Directories

    2
    T1158

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      76e7d5bf61b2e80d159f88aa9798ce91

      SHA1

      32a46de50c9c02b068e39cf49b78c7e2d5ace20d

      SHA256

      280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

      SHA512

      5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      8641ac0a62e1e72023be75ceed4638a9

      SHA1

      a347dbd79e99d81cdd6ec77783008fec9f7e7d42

      SHA256

      d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

      SHA512

      9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
      Filesize

      472B

      MD5

      cfbcb12817712d4f8f816c208590444a

      SHA1

      9999caeedbb1a95ae4236a5b962c233633df6799

      SHA256

      b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

      SHA512

      a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      69a08be1b4c0c1b0a99d829a43153009

      SHA1

      d7ea444d8d0d5b51839b2088efe524fd1c44222d

      SHA256

      997aa2963674e0e00889472942af2e7dced9ba69e8ae01ca35829622a0a2ce29

      SHA512

      6df78a0bca218503b6f971e8d6e35cd1ff7ccfb6929a32ea38d3a28cf3bbc70f3dd220adadbd330a1931019a0b2d394a700269692adc9505c9e94a2cf965e72d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d8cea3fe1badff2e7d32884e757c2df6

      SHA1

      f0c1f740f605ecf5ff2abbd29e4debb6aaa33692

      SHA256

      fdc33666480007b11a6ebc6190c0cc7f26fe43f4927a58073aac65eddb2e3f18

      SHA512

      a680f0ebe8d5780cefd8078746d34daa94518e233512f82176cfc395e1c1e2836c0468f1733365e0ab543a045891e4effdd2932f2b30499d5f8575b42bd5723c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d3c632b8f3c726058c992738782f8096

      SHA1

      fe43cc4c039bd5e8d3d8b4465802f1ce6725f1fa

      SHA256

      b6caaa75cff188d091fc83def05a7581004c71e666c4a2840ba50c4d5f042dff

      SHA512

      f606032b2240e33f4e4e13222a5abff1f48db072ac0a9e7b5426120ad5218179799415701f327e713bf80e6907ff993d22d03a8d2b89acd513e7d83bb8a9c4c8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      a7168186a13af86b3abdcee5408d36c2

      SHA1

      5c4f74112edba804b69baf44aca77791c555eacc

      SHA256

      f685b587eaec075d8cb0061bd7538ebcbd0635759595f2128e61890bf904da33

      SHA512

      f459381f203750273c2e4ce1e684e34ad221dd620119154d59b13ace6f2b3f72e68203c33d1806dd8ead639c25afc044e5da0d2cd36d2fd7c689caf0649891bf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
      Filesize

      480B

      MD5

      c953e1df2f64cd27f2624c6b4ef426df

      SHA1

      360a8d2bcc65ab897bccfe0aec399f7d41faffa0

      SHA256

      f2a2a197d15f8eb7445d14bdf6864d388312797304f8c4ef1b62b656122c77b8

      SHA512

      09cd9488ac27a5e12c5e2e9ddde2e7c21f9d3d241af9336f32bb9d73aa9854bc66e1dba8ff7d3c6a7c3054f9e85e229a27818d578e8d86f22b935dc10cc9ced1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B6V2OTIU.txt
      Filesize

      96B

      MD5

      2c60ca5438f261a961cb0ab870fffb11

      SHA1

      a49766cc075d03a248a606ccd632f2756fab30fe

      SHA256

      a9f1031727eb8ac98955517df15d69e5a1bc345780e014a6f7e31f4281e4c971

      SHA512

      05a36027d73a46c597a00b6597e60eaca7f8bff867b6183cebdc62a5248cac03e6685cafb911fe7f9408759218166083c3e29d52ad798c2bf1afc3ba1097a49c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XAF4ART2.txt
      Filesize

      608B

      MD5

      588ac91ffa1f80a7a22e8e09a41177d9

      SHA1

      8195fc846c199672288b202f72a2b55fb27a783b

      SHA256

      6d6ed1d850fa847f6405dc7c04189cada8828992b6622193626a40393e664211

      SHA512

      2e8a1cd88d06d4d24b04f176e12133d8dbd942fe65bfb736ef2e8bb5be9b08386b1adea6656674494910b39db6c0e42295dd973469ed622b6b37e028b71fadd4

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • \Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • \Users\Admin\E696D64614\winlogon.exe
      Filesize

      296KB

      MD5

      4de73593b1c39d2e91c024863935b453

      SHA1

      177a756554cf61a7c984c9b34797b1a7706c99c2

      SHA256

      5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

      SHA512

      5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

      Download Submit
    • memory/524-77-0x0000000000417840-mapping.dmp
      Download
    • memory/524-85-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/524-104-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/688-68-0x0000000000000000-mapping.dmp
      Download
    • memory/748-57-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-70-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-59-0x0000000000417840-mapping.dmp
      Download
    • memory/748-55-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-54-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-65-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/748-62-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-61-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/748-58-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1756-90-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1756-103-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1756-91-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1756-105-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download
    • memory/1756-87-0x000000000043AB10-mapping.dmp
      Download
    • memory/1756-86-0x0000000000400000-0x000000000043D000-memory.dmp
      Filesize

      244KB

      Download