Overview

overview

10

Static

static

85b3143092...56.exe

windows7-x64

10

85b3143092...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    208s
  • max time network
    251s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56.exe

  • Size

    490KB

  • MD5

    72ae352492e4cafefa98c8196a719b0f

  • SHA1

    7d3259dde4abc30529a23ad1c5a4ee7b7f43f560

  • SHA256

    85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56

  • SHA512

    b7b8b55cf2c677ad697a3b37eef54049e7ac8d8b7b4940bf6a0236cffc9072955632935ceaa025c8c9adb2b6295e1eae969a08507171723c627026f523849962

  • SSDEEP

    1536:ybcbXVDMo9fgw5Y0ZlUmp/xLVQ8GW9AWPdApTbJ7mLcaQ9yrKYcU:yWMot5Y0Z2enQ8G0AVpTTaOyrv

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56.exe
    "C:\Users\Admin\AppData\Local\Temp\85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56.exe
      C:\Users\Admin\AppData\Local\Temp\85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Users\Admin\E696D64614\winlogon.exe
          C:\Users\Admin\E696D64614\winlogon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1868
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2740
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1520
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:4380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      2
      T1031

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Modify Registry

      11
      T1112

      Hidden Files and Directories

      2
      T1158

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      3
      T1089

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        76e7d5bf61b2e80d159f88aa9798ce91

        SHA1

        32a46de50c9c02b068e39cf49b78c7e2d5ace20d

        SHA256

        280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

        SHA512

        5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        8641ac0a62e1e72023be75ceed4638a9

        SHA1

        a347dbd79e99d81cdd6ec77783008fec9f7e7d42

        SHA256

        d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

        SHA512

        9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
        Filesize

        472B

        MD5

        cfbcb12817712d4f8f816c208590444a

        SHA1

        9999caeedbb1a95ae4236a5b962c233633df6799

        SHA256

        b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

        SHA512

        a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        7395c76fb11949b128d2a50a20f98a4f

        SHA1

        6c750f0b3f1da28f39f841484483c810916ef6d2

        SHA256

        bd31ae7dab250562b83fdb5a5ac7c5be39913d6352da68f6a91a69c178d1321b

        SHA512

        02554690bc9aa387feda2f01ccd66dafec71a32f2fdce4cae6e011de864b4d12823b9794e8f38c5d277dbd56b8a7020f377e12f467f771cf48de0069f7c25a51

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        8eec569f75c3b1b3d6d6254f7f6a09ee

        SHA1

        79d30d2e9820962414b031e99d1a9978b176776d

        SHA256

        1ee57706c78f5ec2b77d2d734e62cdac480695a1692b4b258590156767004015

        SHA512

        fb79dea178744f9b1a3f7cbf6580c421e072fd19c1fc3d5c10c8cabe23e2b3846788e25ae19e07897e5a3987dbe586c8a559439b13f2c1f81c9329bf4a690301

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        0fb661c674ee94070b96b2bd323d842b

        SHA1

        30321f4a73ed2efc564399a984b057fc0616676a

        SHA256

        73e624e2aec8baabd532fe5bfbd2549ab88d4740113b639eef28cebea9b01ea7

        SHA512

        47f17747027b82db2c215983a7f50d0e681690baf5b01a3d31b5882d7b1acdc79341cbf187d55d7cc440011640ef2b88d6039e7ba90b2e32951c85e7dac06434

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        490KB

        MD5

        72ae352492e4cafefa98c8196a719b0f

        SHA1

        7d3259dde4abc30529a23ad1c5a4ee7b7f43f560

        SHA256

        85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56

        SHA512

        b7b8b55cf2c677ad697a3b37eef54049e7ac8d8b7b4940bf6a0236cffc9072955632935ceaa025c8c9adb2b6295e1eae969a08507171723c627026f523849962

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        490KB

        MD5

        72ae352492e4cafefa98c8196a719b0f

        SHA1

        7d3259dde4abc30529a23ad1c5a4ee7b7f43f560

        SHA256

        85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56

        SHA512

        b7b8b55cf2c677ad697a3b37eef54049e7ac8d8b7b4940bf6a0236cffc9072955632935ceaa025c8c9adb2b6295e1eae969a08507171723c627026f523849962

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        490KB

        MD5

        72ae352492e4cafefa98c8196a719b0f

        SHA1

        7d3259dde4abc30529a23ad1c5a4ee7b7f43f560

        SHA256

        85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56

        SHA512

        b7b8b55cf2c677ad697a3b37eef54049e7ac8d8b7b4940bf6a0236cffc9072955632935ceaa025c8c9adb2b6295e1eae969a08507171723c627026f523849962

        Download Submit
      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        490KB

        MD5

        72ae352492e4cafefa98c8196a719b0f

        SHA1

        7d3259dde4abc30529a23ad1c5a4ee7b7f43f560

        SHA256

        85b314309287c92dce55a504f7f73ec62a9fd80b12ad9e5f477e6ba1f52e0a56

        SHA512

        b7b8b55cf2c677ad697a3b37eef54049e7ac8d8b7b4940bf6a0236cffc9072955632935ceaa025c8c9adb2b6295e1eae969a08507171723c627026f523849962

        Download Submit
      • memory/1868-153-0x0000000000000000-mapping.dmp
        Download
      • memory/1868-161-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/1868-168-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/1868-154-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/1868-157-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/1868-158-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/3624-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4404-143-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4404-139-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4404-136-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4404-135-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4404-133-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4404-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-152-0x0000000000400000-0x000000000041A000-memory.dmp
        Filesize

        104KB

        Download