Overview

overview

8

Static

static

54adb15496...e2.exe

windows7-x64

8

54adb15496...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe

  • Size

    1.6MB

  • MD5

    f84e4dd9cddd7925078a10cae8009c31

  • SHA1

    97a94ed43ec689934fe7af84f9570194570fc781

  • SHA256

    54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2

  • SHA512

    3e0d7c91b144ef52ad988e53a80a1b4457d9b77e5350341f4706b2707abc5b416aa761d1c35fdd4c13c5b5bdc935670e2ee957fe62c296c3d6dab8876a2c513b

  • SSDEEP

    24576:HNw52RX3IGgsPJnOK5BF6t1poyRBKx3htCYpJ4+I0z1N2V2:HDBhrFulixtC24+RU2

Score
8/10
aspackv2persistencevmprotect

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe
    "C:\Users\Admin\AppData\Local\Temp\54adb1549616d0c11a9b6aa9c3a7363e8d65ca00261332db793dbb24d59ce8e2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\yyberi.exe
      C:\Windows\System32\/yyberi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      PID:1232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.2345.com/?kduowanyy
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    1KB

    MD5

    84ad40b5a681063674d53ff51082dffe

    SHA1

    0cc0fb07c307a74ca042fb2aa2b84f3f60df023d

    SHA256

    cb70ebb217c8756966fb6a2f60e1de8466dd3b7af45097eb0c1d49b98d927098

    SHA512

    ff60bcbe233a01acbc64c5fdc8a1e13d45a27e356f5f4391fa65e44dfd0419585efd7991ec20d9968b512245f2e850d7e6cfbcd9c1ac4e2c44abbd61611fec88

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    1KB

    MD5

    731b8f0570b938ddfd449cde23f77558

    SHA1

    3edd9f9e4ec3a4a99afe08f071b29f91cfddf9f4

    SHA256

    7d938895d153ec61371388c58a96eedfec9a06050020ce6a46e3da9f0dac0bbb

    SHA512

    857b3c28249de00a5805b462cb4bbf8d6238c9a90ccde7c88462157295a295a22b07c920bb560ef2445fa657a56a077d019861f9f94574025c4c467c0b27731c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    1KB

    MD5

    be7f433ade87cec7931780324c837792

    SHA1

    aad8dd8211712f62c08328b7819832bc6c12a465

    SHA256

    2e888b8d71793c9edc666474ee4e8da1d3f4150b5ee919027e857168740aebbb

    SHA512

    82f2a27aa271179cebb83e25982ae41b5e0b6b74d3127065239e2e91ff21c0566be35cd421487e50d9963039bde0f814e132854c7093dd386cf585afd866192e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
    Filesize

    508B

    MD5

    b473c7879812813b08d3b1026c7f007a

    SHA1

    0a90495c19f2ae43ffe1ba188387cd9e26f901bc

    SHA256

    2a202769b3ba026bc70e8bc40c8b5dbb3c78a1245cf7e993e24b2988e7a8a79c

    SHA512

    51b94a71c2cdf1b51b272b09ecadfd817b8800688543677b94264a66dc0e97301e2d5ffc6703a78d79dfa3245271bf4ac2d643f95b44f9b2e4f7afbc6cb2111a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
    Filesize

    532B

    MD5

    34512369c961cb7f8138c1ec4cc28d72

    SHA1

    938f498a2a764d50753230b49948d3c25bfd2641

    SHA256

    8753fcc62f9a1571c3ccc25edc40228ee5b18495c0851ebc749cd68f322acacf

    SHA512

    8b5d7d3ac4b74552dc83a924b9c10997281cd196c21207b4e3bed53eb9a0cb9d4f5c957c4a34ffa80f86db8ed17294e567f8868200fc342e5b1608268731a7e9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    da44ae7302af55ad63dd08fb3a9e8bef

    SHA1

    4d67a3dfa48ca750d60b68ff1ef7fddb1bc15ee5

    SHA256

    248d6e4fcddab93be8999bb741538baf7365aa2dde60122a537eb94afdd6fcd1

    SHA512

    37483c71b7453b03e1745068aa9fd0fcb70f51787f22ea39dc9d821fd76308bdf0289725f5c3c59d18b82d634883d34e3ef5184724a1c3dca0181ab24d0dfa0b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    eecf82ec92e1329290e0ded5283fa52c

    SHA1

    f0f6eb0edcfd31afe1ee09bcfd95e6b976210730

    SHA256

    1e5b7e056826b16e789d218c299fcf50e79a8f863578e870e94d5b80e0286cfc

    SHA512

    49afccaced4686beede008e044aa140f0a73afb06640f89add24419b63bf154eececae4013ec19c03ffc40710420e87d3b340a7e5bc51ecf804cea22cf3dc037

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
    Filesize

    506B

    MD5

    877a8d7b017944983b79cc5caad13b08

    SHA1

    76cf83dd25b7436e851945315b30ff960b566610

    SHA256

    e15ca6dbbff4b9c42c9ca19d22e934a647d88aaed627563329004fa9ac063c12

    SHA512

    40e2c34478d0ae1c82e27098e62018ceb87b0e37cd535027dc1eb46e28da1a2ab72b39871faa45608571b98acbd1fb7bbae331c1cb0820ee773f60469d192276

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    4KB

    MD5

    1be704ec14f7761cdf57de3605b12b30

    SHA1

    f163e949e511090d5e42323006f5db3ffada977d

    SHA256

    7276387aa429534e4cfc61f7966eaec02d14634f23ee15912075c2d3dbd89859

    SHA512

    e8de7fd393232244aed41bee430ad327f12f9374553f6409e26432b6e0ab9d8f9e9fb4804d8d5ab3d422cb2d0ee759e6424577bc3a441b16f59f97c5901e7d31

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\08QETNV8.txt
    Filesize

    108B

    MD5

    001c6c74e965633cb51fc8e0b4600d25

    SHA1

    3c37a2a116ea822b11daf295551030e03c33cd12

    SHA256

    24f4ab75beb7da9c0d3777da1549f33f92976be4ddd3bf79c94811249c42b823

    SHA512

    ac05dd1432cc912b6c369fafb9889c65fb2c1cc506945a873eec93eea803d22f0dbb73f7c06b78f4d3976b06a7ea40c8de0c0361b29d5b7d9dfba36643fb0ccf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L7JWKC4P.txt
    Filesize

    608B

    MD5

    a730b7d1925f357b2784af4fdce73221

    SHA1

    6c5ad04c9a60d523267d59172feedbc57f6dd671

    SHA256

    64e681d9411556f3f45592751b72d3ff30248c0dc4af9a2f57fbc9887da68d78

    SHA512

    c7a189890f7b71647e4915bb0f7fbe7416ad5ed44a58d2ebf808d999963f6cb5a02e814efb8adf7b7cf27bbdcabf6acaa21e4eb4aff04a9e66e868e8ff36beca

    Download Submit
  • C:\Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • C:\Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • \Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • \Windows\SysWOW64\yyberi.exe
    Filesize

    476KB

    MD5

    262c5d4706f08de4ee40cfd533f0c3d6

    SHA1

    3150ca9f7b477d1403bf3a4af73ee712cc8797f1

    SHA256

    81bdb4e664879104d8754aad80bfc7f189450da3ea000198960fbd0c2c98ae67

    SHA512

    1b72667b8428437ba68d994ff5b5918fed58d143f486b64089675d1bdca5afdfe4871df519082e7b26ac480b3d488c4a98abcf8375dcb4cdd8a2c57fe99b3a51

    Download Submit
  • memory/1232-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1232-65-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1232-62-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1232-63-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1232-81-0x0000000000400000-0x00000000005A7000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1652-59-0x00000000033B0000-0x0000000003557000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1652-61-0x00000000033B0000-0x0000000003557000-memory.dmp
    Filesize

    1.7MB

    Download