Overview

overview

8

Static

static

73b6e9ef24...b7.exe

windows7-x64

8

73b6e9ef24...b7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    180s
  • max time network
    222s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe

  • Size

    255KB

  • MD5

    bfd148a3b0d7c27c34c0268ea8b3bea2

  • SHA1

    600d36d821981934a405a29152d93d0a9b1feb4d

  • SHA256

    73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7

  • SHA512

    367f9fa97307728333102c9a296534192bb9c5e32c0cb765de5d214808a858d5e517b654d20e569dbc431983d989b3512cc04a8f8663cfa48d6d667bbb76192c

  • SSDEEP

    6144:7UnITMpSph0lMqqgWoDhujqcQQbxJhVGvkVbOcH4CIMw:7CQMY07qgWo6VVGvkVLAt

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
    "C:\Users\Admin\AppData\Local\Temp\73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Modifies registry class
        PID:376
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1504
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x598
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    7d827e24bc5f35d919b6935b72f7a312

    SHA1

    b21171c1f406d75f6bbdf0f8f0b80991bc5e575a

    SHA256

    9c57a7bcb12aa74796413e8b1968cf45951f0c30723cfa757ecd70312253ffb7

    SHA512

    b1995208855b0d93c17174c3defab4922c9c3fd2c7635336c66a057d7458d64996f6a3c3f625640e4b7c2a2dbb5d163629b0af17197379e3a0573c8c6a270d75

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SogouPinyin.local
    Filesize

    89B

    MD5

    6af3a7fe90a3506927855b11b6c8c956

    SHA1

    e83d35662298d9f5dfa3041da6d627c52042ed67

    SHA256

    e503cc5f9be994e7bf354ac2698f7207e4fb48738e6a6f82304558fb445cb706

    SHA512

    9f93e30613e59a5140d47ba4a8b24b16f2f4c80eb2b95f079f6374c1010c5c7c612980426166ec6017014ee4907d14d71f71577d5f77da629a9fa2bf57fb03a7

    Download Submit
  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    7d827e24bc5f35d919b6935b72f7a312

    SHA1

    b21171c1f406d75f6bbdf0f8f0b80991bc5e575a

    SHA256

    9c57a7bcb12aa74796413e8b1968cf45951f0c30723cfa757ecd70312253ffb7

    SHA512

    b1995208855b0d93c17174c3defab4922c9c3fd2c7635336c66a057d7458d64996f6a3c3f625640e4b7c2a2dbb5d163629b0af17197379e3a0573c8c6a270d75

    Download Submit
  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    7d827e24bc5f35d919b6935b72f7a312

    SHA1

    b21171c1f406d75f6bbdf0f8f0b80991bc5e575a

    SHA256

    9c57a7bcb12aa74796413e8b1968cf45951f0c30723cfa757ecd70312253ffb7

    SHA512

    b1995208855b0d93c17174c3defab4922c9c3fd2c7635336c66a057d7458d64996f6a3c3f625640e4b7c2a2dbb5d163629b0af17197379e3a0573c8c6a270d75

    Download Submit
  • \Users\Admin\AppData\Roaming\Carefree\plugin.dat
    Filesize

    95KB

    MD5

    7d827e24bc5f35d919b6935b72f7a312

    SHA1

    b21171c1f406d75f6bbdf0f8f0b80991bc5e575a

    SHA256

    9c57a7bcb12aa74796413e8b1968cf45951f0c30723cfa757ecd70312253ffb7

    SHA512

    b1995208855b0d93c17174c3defab4922c9c3fd2c7635336c66a057d7458d64996f6a3c3f625640e4b7c2a2dbb5d163629b0af17197379e3a0573c8c6a270d75

    Download Submit
  • memory/376-59-0x0000000000000000-mapping.dmp
    Download
  • memory/376-60-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/968-54-0x00000000764C1000-0x00000000764C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-62-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-65-0x000007FEFBDF0000-0x000007FEFBE5D000-memory.dmp
    Filesize

    436KB

    Download
  • memory/1504-66-0x000007FEFBDF0000-0x000007FEFBE5D000-memory.dmp
    Filesize

    436KB

    Download
  • memory/1504-67-0x00000000029B0000-0x00000000029C0000-memory.dmp
    Filesize

    64KB

    Download