Overview

overview

8

Static

static

0f16f8428b...ad.exe

windows7-x64

8

0f16f8428b...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    109s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f16f8428bdf6655be7f22ac1448a3496287340dab3bfde7e9ed221ef920b3ad.exe

  • Size

    633KB

  • MD5

    106257e4985825ee2d8fb474b5999c9f

  • SHA1

    c73937163cb4016673bdf4de8cbd76e8b2c86b13

  • SHA256

    0f16f8428bdf6655be7f22ac1448a3496287340dab3bfde7e9ed221ef920b3ad

  • SHA512

    0ee6e75b370c672bf5a452ca43457287b32db9db9aaa4c7b17cf287f5da4458133816a6a5454261a463f2254c2ce6f5770ebd2e420680b8fbac7bf978354cc41

  • SSDEEP

    12288:df4gJ24eNaIYW76MjR7SfGqXD8K45JiZcViZX:u4eNVj7hjRM83DiZWi

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f16f8428bdf6655be7f22ac1448a3496287340dab3bfde7e9ed221ef920b3ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0f16f8428bdf6655be7f22ac1448a3496287340dab3bfde7e9ed221ef920b3ad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\Result.exe
      "C:\Users\Admin\AppData\Local\Temp\Result.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\Âèðóñ-Steam.exe
        "C:\Users\Admin\AppData\Local\Temp\Âèðóñ-Steam.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Users\Admin\AppData\Local\Temp\Âèðóñ.exe
        "C:\Users\Admin\AppData\Local\Temp\Âèðóñ.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://iplogger.ru/1W4m4.jpg
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Build.bat
    Filesize

    76B

    MD5

    629aa3737ab828c1daafdf9640fb87db

    SHA1

    d7faccdedb4565617b425ead9bcfdbeb69adb28e

    SHA256

    66af6a3f595399a501ece86f35cd706afc54fd7aa185996d19f835ce0adfa030

    SHA512

    d5c61cea9e25c2c3619684e4902db6be9d3d248453f10dfc82fac0207e4b64f8f1ef9ab4ab64b88fa25dd6ac23048357d904bf965f2bcbc82fd49b16a0a3ce38

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Result.exe
    Filesize

    1009KB

    MD5

    14fcd7a2a5495a7775bb86fff7029caa

    SHA1

    611957b6f409d8d8dd20f122294d5e2be59847a3

    SHA256

    9c9755b1d728f5bd5b57e3cfc4eadde041e5ad3d507bf728a20763c838318c13

    SHA512

    b51e0e152cf8198bc93169fd717d69812cb0588945f893c13c572f4475dab406a32381e7b7798777e784d9b409f94a6eb934db1e54b0d3d0ac2ee40317547633

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Âèðóñ-Steam.exe
    Filesize

    499KB

    MD5

    58ed1a53c7cf1074def7e0d18d8e9c39

    SHA1

    a3b828620ae7f83af2fe944a485f6e77ce316237

    SHA256

    b640b3fea133a236c5eced8985bb3fb0925eb7a22f3b6a6878ecb93a869f2a64

    SHA512

    45819204ba576983aa1ef56357d1ecefa4939611317e98a85f51913782803f3415ffb3102dc778b31aafaa8a836d819c5453fe128f00f00bcfea923c5af3a3c0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Âèðóñ-Steam.exe
    Filesize

    499KB

    MD5

    58ed1a53c7cf1074def7e0d18d8e9c39

    SHA1

    a3b828620ae7f83af2fe944a485f6e77ce316237

    SHA256

    b640b3fea133a236c5eced8985bb3fb0925eb7a22f3b6a6878ecb93a869f2a64

    SHA512

    45819204ba576983aa1ef56357d1ecefa4939611317e98a85f51913782803f3415ffb3102dc778b31aafaa8a836d819c5453fe128f00f00bcfea923c5af3a3c0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Âèðóñ.exe
    Filesize

    499KB

    MD5

    97761fa2232e16b836ffedb45b60c07d

    SHA1

    af2c706dd04efab73f43850a32a70c5763eb8317

    SHA256

    f5aee1739022f653cee3108062df3c5deec7a7a884f5a16053f47434abc2dd85

    SHA512

    2b1e97bbbb7f2bfd762c085afa14bda97d62881fa2cb703d78488897a8bcadb72be4d9fddc665b98979b8f968fb6a97c99f220068223f95c112060d749a7e653

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Âèðóñ.exe
    Filesize

    499KB

    MD5

    97761fa2232e16b836ffedb45b60c07d

    SHA1

    af2c706dd04efab73f43850a32a70c5763eb8317

    SHA256

    f5aee1739022f653cee3108062df3c5deec7a7a884f5a16053f47434abc2dd85

    SHA512

    2b1e97bbbb7f2bfd762c085afa14bda97d62881fa2cb703d78488897a8bcadb72be4d9fddc665b98979b8f968fb6a97c99f220068223f95c112060d749a7e653

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0584MUNE.txt
    Filesize

    608B

    MD5

    e0247daad12fb78b2c49c031301373e0

    SHA1

    442980a1908069df0e7ffb6597d6ed83e06ed280

    SHA256

    81bd1e12dda51690b0690f04fd320f37c8d6795d4d17bd7f8c42d2228d05739c

    SHA512

    7463420429811ac221646273a7b243b9c37c1daf69093c69cc12a9bce286bc297f5bd30aee094a9b7f414f54dafe1c5db98c4a7a6604a50c3e1cf8d8af50bceb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Result.exe
    Filesize

    1009KB

    MD5

    14fcd7a2a5495a7775bb86fff7029caa

    SHA1

    611957b6f409d8d8dd20f122294d5e2be59847a3

    SHA256

    9c9755b1d728f5bd5b57e3cfc4eadde041e5ad3d507bf728a20763c838318c13

    SHA512

    b51e0e152cf8198bc93169fd717d69812cb0588945f893c13c572f4475dab406a32381e7b7798777e784d9b409f94a6eb934db1e54b0d3d0ac2ee40317547633

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Result.exe
    Filesize

    1009KB

    MD5

    14fcd7a2a5495a7775bb86fff7029caa

    SHA1

    611957b6f409d8d8dd20f122294d5e2be59847a3

    SHA256

    9c9755b1d728f5bd5b57e3cfc4eadde041e5ad3d507bf728a20763c838318c13

    SHA512

    b51e0e152cf8198bc93169fd717d69812cb0588945f893c13c572f4475dab406a32381e7b7798777e784d9b409f94a6eb934db1e54b0d3d0ac2ee40317547633

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Âèðóñ-Steam.exe
    Filesize

    499KB

    MD5

    58ed1a53c7cf1074def7e0d18d8e9c39

    SHA1

    a3b828620ae7f83af2fe944a485f6e77ce316237

    SHA256

    b640b3fea133a236c5eced8985bb3fb0925eb7a22f3b6a6878ecb93a869f2a64

    SHA512

    45819204ba576983aa1ef56357d1ecefa4939611317e98a85f51913782803f3415ffb3102dc778b31aafaa8a836d819c5453fe128f00f00bcfea923c5af3a3c0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Âèðóñ.exe
    Filesize

    499KB

    MD5

    97761fa2232e16b836ffedb45b60c07d

    SHA1

    af2c706dd04efab73f43850a32a70c5763eb8317

    SHA256

    f5aee1739022f653cee3108062df3c5deec7a7a884f5a16053f47434abc2dd85

    SHA512

    2b1e97bbbb7f2bfd762c085afa14bda97d62881fa2cb703d78488897a8bcadb72be4d9fddc665b98979b8f968fb6a97c99f220068223f95c112060d749a7e653

    Download Submit
  • memory/760-54-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1120-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-72-0x0000000000D40000-0x0000000000DC2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1404-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-71-0x0000000000290000-0x0000000000312000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1704-73-0x0000000000240000-0x0000000000278000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1704-74-0x0000000000280000-0x0000000000286000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1884-68-0x0000000000000000-mapping.dmp
    Download