Overview

overview

6

Static

static

1ce1353483...b2.exe

windows7-x64

5

1ce1353483...b2.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe

  • Size

    355KB

  • MD5

    b0a43e11a94b3905acdfc37f03447c6b

  • SHA1

    3d4810481a219fa37664956f375effd29fb4482e

  • SHA256

    1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2

  • SHA512

    750bcd493d5ec6b91470e148ca74267a73f58d7ce46813167006e23b28f5a4dfd53fa4c89326165e322531dfb057cdb13ed8dedf1e3d185a54f44842f05fb066

  • SSDEEP

    6144:Pk4IDOfw+587exGRoajt//Wi7bxb7GhDzd9AQVNq4KmTNmSMLA6szI31dyqE:MdDO3eeCOivxv4VVvJNmSYA6su8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe
      "C:\Users\Admin\AppData\Local\Temp\1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://steamfreeitems.weebly.com/uploads/3/1/7/0/31703493/5272617_orig.jpg
        3⤵
        • Adds Run key to start application
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffabad146f8,0x7ffabad14708,0x7ffabad14718
          4⤵
            PID:2920
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
            4⤵
              PID:4048
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4760
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
              4⤵
                PID:2588
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                4⤵
                  PID:3432
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                  4⤵
                    PID:2768
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 /prefetch:8
                    4⤵
                      PID:2568
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
                      4⤵
                        PID:3572
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
                        4⤵
                          PID:2312
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14300917613670502360,11123406470313689708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
                          4⤵
                            PID:1032
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                            4⤵
                              PID:4892
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2600

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1ce1353483aff51904df9d1080d11918137e3f43e44d78ae5535e15f5c6f7ab2.exe.log
                          Filesize

                          223B

                          MD5

                          1cc4c5b51e50ec74a6880b50ecbee28b

                          SHA1

                          1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

                          SHA256

                          0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

                          SHA512

                          5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

                          Download Submit

                        • memory/1412-138-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2312-156-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2568-152-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2588-146-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2768-150-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2920-140-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3432-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3572-154-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4048-142-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4528-139-0x0000000074D60000-0x0000000075311000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/4528-137-0x0000000074D60000-0x0000000075311000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/4528-134-0x0000000000400000-0x000000000040C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/4528-133-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4760-143-0x0000000000000000-mapping.dmp

                          Download

                        • memory/4892-157-0x0000000000000000-mapping.dmp

                          Download

                        • memory/5104-132-0x0000000074D60000-0x0000000075311000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/5104-136-0x0000000074D60000-0x0000000075311000-memory.dmp

                          Filesize

                          5.7MB

                          Download