Overview

overview

10

Static

static

8

e78e04ad05...38.exe

windows7-x64

10

e78e04ad05...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    254s
  • max time network
    387s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38.exe

  • Size

    790KB

  • MD5

    712b004599fef1662c3a6c6064ad1d76

  • SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

  • SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

  • SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38.exe
    "C:\Users\Admin\AppData\Local\Temp\e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1408
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1308

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    8cd381eca2d5342e36b1e65a9b7f82d5

    SHA1

    d9b529576e1ea26e8daf88fcda26b7a0069da217

    SHA256

    17ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369

    SHA512

    c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    8641ac0a62e1e72023be75ceed4638a9

    SHA1

    a347dbd79e99d81cdd6ec77783008fec9f7e7d42

    SHA256

    d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c

    SHA512

    9a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
    Filesize

    472B

    MD5

    cfbcb12817712d4f8f816c208590444a

    SHA1

    9999caeedbb1a95ae4236a5b962c233633df6799

    SHA256

    b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

    SHA512

    a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    5a80e2bb5aadb2ff74396a6aee04ee15

    SHA1

    9ba0d71bee8205798068a671c65f9b54eb571be0

    SHA256

    007330d72c2d3c2e887d1faa5529813cd727752d99683bae2354598af78a6fed

    SHA512

    4a1b4ab61bdc8e88200c577e0e6121ac9fa8030ee6905e4e0ea0c36132557fd3e2f2c56425938cad6a384656811b8d59926cd692c6af94088e5b8a9b3b0d553d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    79d3a0ab05b96b0793d86e000bd9f59e

    SHA1

    69da7815ae49bf1c01fac445100e1c38dc5d2f5d

    SHA256

    867c66be80947f0b4157478a54f00c1b4d4e6f85509a9bcf073c507c4e33dae7

    SHA512

    01f9677e3443d7ad7824e30d27b059e9394c5627048f80562d31b93a18996d9585a613cc7a1485b75c63d4ff8d390c565059c98fdd52836d9ae850d64441ffe2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    986f6b30f1908f3aa723a7ed2147861b

    SHA1

    3eb378b05b82ce382cdb5fdc055400175e448594

    SHA256

    ef710e8c6703d814dddb2cc48fe5c65a5778323c440ea4176ad5064df7116d8e

    SHA512

    c3353ea8fef37381ff5eadd009c26ea4c359d0b236be7996764e1bd6bebeaba78ff120bbf674975765e99db9e79ad72a4e49c98903795a53784b61e931907c01

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    043b26e4bbdd0e48c1752e96b40fccfc

    SHA1

    b17051f2ecad17bef3087b6468d9324a788b24db

    SHA256

    8fbe18b68c763b25cc3f22c17923aa144741dcb2e6f3e865a381451a69620ab5

    SHA512

    6da841cdd229b91b2c4c3d9c4c0c6ff8e4d753003ebf605116534c78ce24b0e40fba5a2a1d3ed732fcccdddbe36c752948758c2cc8c31b3926b3f6914ef81412

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
    Filesize

    480B

    MD5

    3657fdf84481d796385ea1eded1c6fbc

    SHA1

    659ec6d0cce1247e673e4abd61517445f978fffa

    SHA256

    13fcf77e44caf017f921ad64c52895bab2f55dd2ec51569ee7ab4eeb0a0b6404

    SHA512

    f1007aa738133e1b302d420c7edba92d969a3db8e2d8143fea80c2f1b20853e5076a07d4452ac1b2de413d18057a45e6ac0d7f2056857b29777cb664d3fced6d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XMOX7GM7.txt
    Filesize

    97B

    MD5

    d2c5abbf502bc5becc3ed2170287eea9

    SHA1

    24ba86d3f7482854895093463f9a97cf0a422720

    SHA256

    d86edf7654162e84256071fd9b87b89b57f095716e26632193395c742e9de9f9

    SHA512

    1b4a8fee1b167c143988e78d02230befb609f6e5b8f6bb5038060ebb5c8f2ce03452c920c12cee300bb18cc77d492f286ba766371a8c8e47e4c84efb1b90ada7

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    790KB

    MD5

    712b004599fef1662c3a6c6064ad1d76

    SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

    SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

    SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    790KB

    MD5

    712b004599fef1662c3a6c6064ad1d76

    SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

    SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

    SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

    Download Submit
  • C:\Users\Admin\E696D64614\winlogon.exe
    Filesize

    790KB

    MD5

    712b004599fef1662c3a6c6064ad1d76

    SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

    SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

    SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

    Download Submit
  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    790KB

    MD5

    712b004599fef1662c3a6c6064ad1d76

    SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

    SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

    SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

    Download Submit
  • \Users\Admin\E696D64614\winlogon.exe
    Filesize

    790KB

    MD5

    712b004599fef1662c3a6c6064ad1d76

    SHA1

    1057b1496e847b35b29723a8e14a65212e3cdae5

    SHA256

    e78e04ad059b1cac13ed6bbde48aa7fe08e2a4b4fa0798dbf213475d8ad8bb38

    SHA512

    c1ff57e268e151af8f94eaf06335f3e5299f76b61843ec66e45479a839223cda94075b05057b1dd310289524436b21dfd406b7b354ade08b9a3c1fd32db94e81

    Download Submit
  • memory/592-59-0x00000000027A0000-0x00000000027E7000-memory.dmp
    Filesize

    284KB

    Download
  • memory/592-63-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/592-56-0x0000000075D11000-0x0000000075D13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/592-57-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1168-67-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1168-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1168-87-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1408-77-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1408-74-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1408-73-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1408-69-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1408-70-0x000000000043C540-mapping.dmp
    Download
  • memory/1408-88-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download