Overview

overview

10

Static

static

8

e732400bb2...87.exe

windows7-x64

10

e732400bb2...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe

  • Size

    315KB

  • MD5

    3fcfd5c852a561e4cd8c7d8017ffdb6e

  • SHA1

    0f2a20dedede3b6469ef69f0460a56212bb07195

  • SHA256

    e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487

  • SHA512

    52946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe
    "C:\Users\Admin\AppData\Local\Temp\e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1160
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4904
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4916

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    2
    T1031

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    12
    T1112

    Hidden Files and Directories

    2
    T1158

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      8cd381eca2d5342e36b1e65a9b7f82d5

      SHA1

      d9b529576e1ea26e8daf88fcda26b7a0069da217

      SHA256

      17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

      SHA512

      c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      33b7e09d1c6e875887fd38ae0a7ee659

      SHA1

      192864bc83504fafbd87af8c3834b835076c414a

      SHA256

      f200eaab5663e542461bbae7aac0473f6455eec451011f016c84920520b19dfb

      SHA512

      b1d6872519f5956bb511b4eca8e1b79123482e9aacb1cef704c1d3ef7f9daade10573dd206df4c62c623bbfb10f757f01c914bfc2b0e9ab567981ea08b404799

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      8641ac0a62e1e72023be75ceed4638a9

      SHA1

      a347dbd79e99d81cdd6ec77783008fec9f7e7d42

      SHA256

      d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

      SHA512

      9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
      Filesize

      472B

      MD5

      176c5bdeeb799ec212e8b21126aa58d5

      SHA1

      02c76719828821643ec84cfe61ecb4499838021c

      SHA256

      eaa1c4ffce046f2951b93258d2c8c396da596a86c40cb3954ea8ceb4b13aa842

      SHA512

      a8fcd3787e674c37c70bce3a3cb0cdf832c03483d01a29887183ca8345d632f0bb75509586b07218e9c4d06c5d1a413dc26374270789b147446d54cf0303f3ed

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      7e313446239f8e247705bb6af0f2f3a5

      SHA1

      4450e3484cc10e5f1edb594e20ff3669ff86cd8f

      SHA256

      a761513ade2763046f420b936463186fff679aa14ae11faca29ac4ca2bd45d3a

      SHA512

      7f1b90dbe7e1409548aa03208fc9618d8ba872069bcd4d591bdafd34c18c9b27322831b9d187237e67af558fa521684d9d5e84838827f865fc1855cc89eedaf3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      944366b0a3cd562f7283f75bb1fa017d

      SHA1

      ba1e4ed6b401a4a6874b102eec2058ebcefc2fb5

      SHA256

      e210635c0f17e4b94de607dc6f64ad9f0bde0e3306cd5ad73b6a879fba47a8b8

      SHA512

      79235b81f85a9f1e480d2f86c7470ce0bd115cb2f3da09b83e5e5f0bc101cdca87106ae5e783428cdf853268498fc7de81848b2854f9c3af47d93ba5914e4662

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      fafe8c07b34d20fbef3db2817c913fd0

      SHA1

      bceca594de648011c0b8fbcb8cd42c14dbd2d1b3

      SHA256

      29584f788e2ef99ae0f6b93e9450bf99b4407e29255d9277d1b3f8237459aad0

      SHA512

      939f8505faec6e044d88d32658a8396dbcf54291e6b849f36153dcd2fbe7d4186562e61e2c11bbb8683181a5d297fe6c36f59fafe7b814f5ef7291a44128e559

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
      Filesize

      480B

      MD5

      c838583155ce79a5e262ce75204d3db8

      SHA1

      e63c83758a83a999d38480c3b83db341e312ae97

      SHA256

      e4e68547ad393cb853c816d22e76b8765847c0506dd4d7326ec9d07497f90e92

      SHA512

      a7504111dfa7c7d370cfdde632b2c7cd84ac44c43852697adef4645b9bdd8d1f616ccc02071100bd4cbaeba4ab41ad344d43796ebe6ca5a2f7039d79e7fe262c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      315KB

      MD5

      3fcfd5c852a561e4cd8c7d8017ffdb6e

      SHA1

      0f2a20dedede3b6469ef69f0460a56212bb07195

      SHA256

      e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487

      SHA512

      52946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      315KB

      MD5

      3fcfd5c852a561e4cd8c7d8017ffdb6e

      SHA1

      0f2a20dedede3b6469ef69f0460a56212bb07195

      SHA256

      e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487

      SHA512

      52946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      315KB

      MD5

      3fcfd5c852a561e4cd8c7d8017ffdb6e

      SHA1

      0f2a20dedede3b6469ef69f0460a56212bb07195

      SHA256

      e732400bb2faeda3a30c82f825003f4b12a5b1e53f1b7f508e1e7f14130a1487

      SHA512

      52946b7f520c34f098229b4830417510d17fe04ce056e4a90ddf37251c005323c331e29a37cd2d755d6a22160dc04de9320c72d32a79a37775033f380e356980

      Download Submit
    • memory/1160-149-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1160-152-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1160-153-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1160-148-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1160-145-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1160-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1160-160-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2760-132-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/2760-142-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/2760-133-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/4920-143-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/4920-141-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/4920-136-0x0000000000000000-mapping.dmp
      Download