Overview

overview

10

Static

static

5f50b35b51...5e.exe

windows7-x64

10

5f50b35b51...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe

  • Size

    296KB

  • MD5

    4de73593b1c39d2e91c024863935b453

  • SHA1

    177a756554cf61a7c984c9b34797b1a7706c99c2

  • SHA256

    5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

  • SHA512

    5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

  • SSDEEP

    1536:7I17SYMoQEeZ3tmnunbHq7eOHc3Hbuk93VMjBmGQSbcW+gZ372Fc0h:i4otehtmnuLqdHguq3pGz4W+g

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe
    "C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe
      "C:\Users\Admin\AppData\Local\Temp\5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:4376
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2744
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:396
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3860

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        76e7d5bf61b2e80d159f88aa9798ce91

        SHA1

        32a46de50c9c02b068e39cf49b78c7e2d5ace20d

        SHA256

        280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

        SHA512

        5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        Filesize

        1KB

        MD5

        6f1150fc9821fca63b6ad97833b4ea5e

        SHA1

        fd3851676433ec7b1863a7dc99235fc2948578fa

        SHA256

        589db8e5365101fb81ce2e01d90153acaa8e9da371dd9bdf29c272e3b2b8b789

        SHA512

        ea347e8c2645a6908ec6a57eb1037b45a84affd8f77970ad5c13bc9f0df8bd476c1a671e25c9c308411284213365c3db42f4d7ad53ed1432b2716da9f40b186f

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        3bc8595d0a469edc8b7a071a3befe724

        SHA1

        f7e4b53b01d31626ab7965b267fea4457d798a91

        SHA256

        33c4b30d18fa3eeeed676831973cf8dd8c9a9145e7edcb689efeec0647d685d4

        SHA512

        4969ab6d2239a94d1dfb6105d9a329588ad0e3366ab4af874e033b853adfcadf808eced3466823136221e110accd2bcd5b25b0474b11947aab510f0b92d397d8

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        8641ac0a62e1e72023be75ceed4638a9

        SHA1

        a347dbd79e99d81cdd6ec77783008fec9f7e7d42

        SHA256

        d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

        SHA512

        9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
        Filesize

        472B

        MD5

        cfbcb12817712d4f8f816c208590444a

        SHA1

        9999caeedbb1a95ae4236a5b962c233633df6799

        SHA256

        b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

        SHA512

        a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        3f71d042fcc2433d73e0cb6d98abf719

        SHA1

        267b4f5ada646ac7b5cf01db4ee0a85d40b3201e

        SHA256

        f59bf5001170a596067593fbfe6a51993345c6b9751460d4b6dbd9d6dfbe5eb5

        SHA512

        6552c4531ae408cc4e59d3f1aa600f9ab336ca5033b5a8917f87e4643ca26c89e4989757a5a06f3e4e516bb2c3a275489cd509aa9011798c340153d567569dc3

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        Filesize

        446B

        MD5

        e620cc486ebf943fdf6b6678c14a62ae

        SHA1

        147c9323d8f77b76aef7fbce6b2a782f8b13d4ea

        SHA256

        0c3c8b86a9fe48adc7b05dfa2814275037cc5039e84dc6cc8f0bca050defd459

        SHA512

        a65b8cf7b85f1841da12ce9d7cdf3b7580547172c4d043f1dd72fb7cd06373c23e2c87ffd1186d07957d8db49d9eea188090cc7d87e979a8f53d22fdcec19e58

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        1e34619ac6325bdc89ddfa021f2a02de

        SHA1

        4c84c675f79ab749a908a3f648fefbd547a7c1ba

        SHA256

        c9103089edc5b1a1de83f32c79a5a63872070ee8a4920f491d75ac036bc4a636

        SHA512

        8b7f03563c99f4a64d0a93d476c8d6e89e40c8047679cf0190a7ffb19fe49820cf40cb1f1d4dc23235516f0b19200be286b0ccba1d0b348cedc279e6896ba308

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        5db45407973b387de888450ea0e5aae2

        SHA1

        debad7ba65d99b3295023f4d39cfa0da90dac738

        SHA256

        2afd3a06d4821a675fe6a768ba2b7c569129d13c7107d57ba6a44c70ec1803f2

        SHA512

        c8e6987adfdcf6285be536ae429bbe927e7e1ac66ab18b2a1dcab6999683564f7cecf6f7e959d6a6ce5453b9ab3dfb11de4044e165f7ac4bc2f57c2f86ac9855

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        d81373591cb6fe56c332724acf903965

        SHA1

        f41dbf2817551be6f906f53837d230cab2c7402a

        SHA256

        0fc5e4065c34d253f495e4060e681f61e495df5eb717547caa6e0ba52dd494ed

        SHA512

        65cdf02d32c8b22c948330d655d050ae8103a9a249d28f992c37af34e13aa5c63d89454045c1a248e2057a4108dff484767c974e382459e100c31dc4a395d51a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        296KB

        MD5

        4de73593b1c39d2e91c024863935b453

        SHA1

        177a756554cf61a7c984c9b34797b1a7706c99c2

        SHA256

        5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

        SHA512

        5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        296KB

        MD5

        4de73593b1c39d2e91c024863935b453

        SHA1

        177a756554cf61a7c984c9b34797b1a7706c99c2

        SHA256

        5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

        SHA512

        5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        296KB

        MD5

        4de73593b1c39d2e91c024863935b453

        SHA1

        177a756554cf61a7c984c9b34797b1a7706c99c2

        SHA256

        5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

        SHA512

        5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        296KB

        MD5

        4de73593b1c39d2e91c024863935b453

        SHA1

        177a756554cf61a7c984c9b34797b1a7706c99c2

        SHA256

        5f50b35b511889ab3ae1721c84f1d4efef95a34d14b2420c5d1592d36b6d755e

        SHA512

        5073cbb81bd2fc8384095caf159116507ec6ace6e8e910908faeb6fa2cd82bd21dcc4b3e0972aed33b817369d3ee40064abd45ca90c53d7ec66b69f1ecceeac2

        Download Submit
      • memory/1320-152-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1320-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1320-151-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4376-154-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/4376-153-0x0000000000000000-mapping.dmp
        Download
      • memory/4376-157-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/4376-158-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/4376-167-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/4376-168-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/4896-139-0x0000000000000000-mapping.dmp
        Download
      • memory/5044-132-0x0000000000000000-mapping.dmp
        Download
      • memory/5044-142-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5044-136-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5044-135-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5044-133-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download