Overview

overview

8

Static

static

8

895ef7d9bf...6a.exe

windows7-x64

8

895ef7d9bf...6a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    204s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe

  • Size

    218KB

  • MD5

    32a0615410754e84b06f127f1601ea9d

  • SHA1

    7188ae6ff8ebae133ecb91b68cc746d80d7c053e

  • SHA256

    895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a

  • SHA512

    b2d7cc6837af595fa3d3c3f970427ece1fe13d0e62c7faf70b8e934d6f32af42627bd379d6b9531bec3a1e13a1bb3fee48ac17095637214a369331052b30e185

  • SSDEEP

    3072:N8DZDcdQRRwZJ+nqaTDZlBATQGB/OquFZYgdqI/gFgcg7XuPCGZe30RsApIh1ZE1:5QwwqaxAsc/gr5dP1jGZGtApgy

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe
    "C:\Users\Admin\AppData\Local\Temp\895ef7d9bf32231532bf814d5585ff77eb2a02f8150589405102653890ed1e6a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\algs.exe
      "C:\algs.exe"
      2⤵
      • Executes dropped EXE
      PID:4544
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:888
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17416 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4176
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17420 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4336
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17424 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4344
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17432 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\algs.exe
      Filesize

      46KB

      MD5

      4b69db9d7c245b1e2b6dcb8a764cd1f2

      SHA1

      b6f506ea538d59f0ef9721ddbdd963dc3c6f5122

      SHA256

      db45111dc7ac77fcd23788a9dcdd1c38e1de9180cc35e432ef2120ba1ad35b5c

      SHA512

      5c1abcf59be354224843a727bd6c3bf4dae1d3a3914fdd241b74e7ca692dd94e09fb7ad6859b6b0484e9c296a76090b7e0859088927787b67b885d1b3720e0ea

      Download Submit
    • C:\algs.exe
      Filesize

      46KB

      MD5

      4b69db9d7c245b1e2b6dcb8a764cd1f2

      SHA1

      b6f506ea538d59f0ef9721ddbdd963dc3c6f5122

      SHA256

      db45111dc7ac77fcd23788a9dcdd1c38e1de9180cc35e432ef2120ba1ad35b5c

      SHA512

      5c1abcf59be354224843a727bd6c3bf4dae1d3a3914fdd241b74e7ca692dd94e09fb7ad6859b6b0484e9c296a76090b7e0859088927787b67b885d1b3720e0ea

      Download Submit
    • memory/204-133-0x0000000000400000-0x000000000047D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/204-134-0x0000000000400000-0x000000000047D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/204-139-0x0000000000400000-0x000000000047D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/4544-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4544-138-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download