Overview

overview

7

Static

static

7

e6ae909e87...c1.dll

windows7-x64

7

e6ae909e87...c1.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    70s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6ae909e87b7c9548c22c7231d1f5a62f11ae21c62057ca2972fa5a2382dbfc1.dll

  • Size

    862KB

  • MD5

    8a5abaa245a3e8fed32689f1daaf0185

  • SHA1

    57417c64b6ff8610c1b2b4d263d46df15a3666f1

  • SHA256

    e6ae909e87b7c9548c22c7231d1f5a62f11ae21c62057ca2972fa5a2382dbfc1

  • SHA512

    51877433b7d96a43b77d5d313364876ab75f26613c41597f84eab64c98ca887f10a58c8c5f7df2a6c721b5fde699aa83aaab70311d55e1abe7aba7ca71c57cdd

  • SSDEEP

    12288:6gDIklTu75YtgDCVB9pR3idO970Ok/7DvALQjhzDLdv3/C2vWBuyDkbA:pDIN7Ot+CVBzRydm0OcbA8hLdv+BuG5

Score
7/10
evasionthemida

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ae909e87b7c9548c22c7231d1f5a62f11ae21c62057ca2972fa5a2382dbfc1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ae909e87b7c9548c22c7231d1f5a62f11ae21c62057ca2972fa5a2382dbfc1.dll,#1
      2⤵
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/user/MRs0beit
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c6129b483428c62619699e960bcb7d29

    SHA1

    e79d2a4197f190f9458cfccec2b6cfb55b0b785c

    SHA256

    1f701443225aaf3b0f549002beead42ec378e60788c6a2be634a7d557c982ca0

    SHA512

    012b06c285396025fd81084f8ea8dcf9b1b1200294c409dd85ce445c3ad22902d0d61a4289d91de444d4b2612fa76d6d4e9640ef0ef7cf2ec99f47f2eb515e53

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    9KB

    MD5

    5528c952aeea097b2ca154a6415953e1

    SHA1

    353a6848577fda33dbfeca6364b4c7cbff7f0bd4

    SHA256

    636969b5622d684a35f5abf6f1a5d9c4a2e3951f51714648e885e0be56465c29

    SHA512

    5e077216216ed095448554e45dcb7f9ee73a576ea932cda12518413ffc80ff6fa57bff22cabe9f518dec88568697be26a063b209d45a0fba0f6709997cdf420b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\831PK8WR.txt
    Filesize

    603B

    MD5

    e3bbb27ec26600abacab612ff440052b

    SHA1

    3df3184b4b50f4a6efe7fd44be92d75476610c06

    SHA256

    5b1a594a261c53c4c97a754fe0515534b9012e98b4e3e2b114cdcaa696c0133e

    SHA512

    1638ce95d85be80fe943d76031818027cec350d349f40f1cd0e523ae3e017972ce60c87838f20337c91e7446b02c43b02d87b8d81f0ed5acec37ac7e4bf66167

    Download Submit
  • memory/956-54-0x0000000000000000-mapping.dmp
    Download
  • memory/956-55-0x00000000760E1000-0x00000000760E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/956-56-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-57-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-58-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-59-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-60-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-62-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/956-63-0x0000000002010000-0x0000000002250000-memory.dmp
    Filesize

    2.2MB

    Download