Overview

overview

10

Static

static

copia_do_d...to.exe

windows7-x64

10

copia_do_d...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 22:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    copia_do_documento.exe

  • Size

    140KB

  • MD5

    da23a82c2b7f0e3be078dac023e36914

  • SHA1

    836feba24264859fd7a7a73964386342f7757a36

  • SHA256

    4fc6e89128e13ba773311448e69a718b278172810537caee89fe415457f73142

  • SHA512

    1484f659e12be82d4ecc7f27c6edf364e935c0acc0a86245d1f8fc47d33ea8ec6df3ab7e2b922672f68b62a5a5b7edbcfbde8b34f61ca537858b2a81549534e9

  • SSDEEP

    3072:KqhVNmE0yFVOaeDF9eoyfp7zoH8wf4iBHeS:KqrNJ8ooyF48wf4iBHe

Score
10/10
adwareevasionstealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\copia_do_documento.exe
    "C:\Users\Admin\AppData\Local\Temp\copia_do_documento.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\28112022.exe
      "C:\Users\Admin\28112022.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Installs/modifies Browser Helper Object
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4224
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\rconatdi\rconatdi.dll
        3⤵
          PID:5024
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /s c:\Users\Admin\rconatdi\rconatdi.dll
          3⤵
            PID:4936
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1820
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1292

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\28112022.exe
              Filesize

              140KB

              MD5

              da23a82c2b7f0e3be078dac023e36914

              SHA1

              836feba24264859fd7a7a73964386342f7757a36

              SHA256

              4fc6e89128e13ba773311448e69a718b278172810537caee89fe415457f73142

              SHA512

              1484f659e12be82d4ecc7f27c6edf364e935c0acc0a86245d1f8fc47d33ea8ec6df3ab7e2b922672f68b62a5a5b7edbcfbde8b34f61ca537858b2a81549534e9

              Download Submit

            • C:\Users\Admin\28112022.exe
              Filesize

              140KB

              MD5

              da23a82c2b7f0e3be078dac023e36914

              SHA1

              836feba24264859fd7a7a73964386342f7757a36

              SHA256

              4fc6e89128e13ba773311448e69a718b278172810537caee89fe415457f73142

              SHA512

              1484f659e12be82d4ecc7f27c6edf364e935c0acc0a86245d1f8fc47d33ea8ec6df3ab7e2b922672f68b62a5a5b7edbcfbde8b34f61ca537858b2a81549534e9

              Download Submit

            • C:\Users\Admin\28112022.tmp
              Filesize

              60B

              MD5

              9f288d9e8cc3e677598b3f8ec45e5a5c

              SHA1

              efc1f0f5a05e2ffd6b516f8a0ceb4cd5f8c005a0

              SHA256

              815bfdb2782c81f536cfd6b77f550d3b7dd087dab0e00c5101307c96dca60f18

              SHA512

              1c68c6a88ee687e2882153f6706fc875529778d98596a33f7eac078bb265ffa2c1c342e2c5a94df1335aa52f63405f5b608cec066bfaa96d0e33b047456868eb

              Download Submit