Overview

overview

10

Static

static

8

5c09578946...b5.exe

windows7-x64

10

5c09578946...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5.exe

  • Size

    1.4MB

  • MD5

    255750fa2595052c746f4fe49c81647b

  • SHA1

    edcf247762ccde5267883ec3a47f2fb3334fca33

  • SHA256

    5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5

  • SHA512

    b9a3f4961090338300b3addfaac7755f4b915ee4d841d001d937663a79f73881a6601c13f38b915e5272e5afc30463ac78fe5fe441fa8dfe852e008367454cd3

  • SSDEEP

    1536:cd04boUzdIBsZUpUQSe1sjL/91IqmM4nouy8:cdJboUpEsueFssP11I5Mwout

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5.exe
    "C:\Users\Admin\AppData\Local\Temp\5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3460
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:340
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3792

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      76e7d5bf61b2e80d159f88aa9798ce91

      SHA1

      32a46de50c9c02b068e39cf49b78c7e2d5ace20d

      SHA256

      280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

      SHA512

      5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      dedb504b3469b24ec0df79c68f5772e2

      SHA1

      177a8b1045b456316ca32d90aba942bf34774c64

      SHA256

      e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

      SHA512

      101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      916c512d221c683beeea9d5cb311b0b0

      SHA1

      bf0db4b1c4566275b629efb095b6ff8857b5748e

      SHA256

      64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

      SHA512

      af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
      Filesize

      472B

      MD5

      cfbcb12817712d4f8f816c208590444a

      SHA1

      9999caeedbb1a95ae4236a5b962c233633df6799

      SHA256

      b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

      SHA512

      a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      f4d7a0ccf7b25aee3a3fe2721a089cc9

      SHA1

      314ad103aa6a80a670a34f949209f46caf59dd08

      SHA256

      a56d6fbb3c86fe5ab0007c8c6d1cb13d32fd2a7497f5740179bad35e1b3bff2b

      SHA512

      78b1beb37e0549a6bceaae58be25da1f98adc287fcc2d2dac28a49504707406620272f2e3375a83b04bb53168f63bd98a14e9ae28cbd13aeb5a1625928ee89bb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      83c7a392b9a0cd1ddf8fc54de6fc3f81

      SHA1

      307cc02be096daa9d38c019869b901780ffb768f

      SHA256

      a3e64d9e734c861194308491a6c9753b4ca32eb59655ce845dead6149f4e1d12

      SHA512

      9e0cdac243af821316fbce758eaf1e1a122119d14acf24809ea9dfeaedf3bbffbea31b252b68f73a64d8270fc34d1a39f9509fb3a91b568dd8a0e78cdd288da1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      78d73f0795df84fa4f57feae93237a03

      SHA1

      7bfd0fecfe5b6e389ba1f1455fdecb243e3ca57a

      SHA256

      2b9c85d369f153f3fe13def4e76882ae188c0c4959cac3ad5d822521502b030b

      SHA512

      b6ce6b26c0a745568bb24319d2761ed1e5114782dee011885e4b4a09887146a04b8c8270c1e4c9f3cd0aa08f7f8c5312577218aee11291e295ba44d0ce28881b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
      Filesize

      480B

      MD5

      90bf78b34f8d55c5f7283c0cf8074e28

      SHA1

      3ceb624311fe5c2f5c2062d1368418af90075d5b

      SHA256

      5606ef9d4db99da8d28064e392a77fd2d94bb4c579d729074f5b91b4260e63ef

      SHA512

      de7edd2d66161e36f0f71ca16e572f47410a72099d582df61cc5eb039792c961edcdce73bde8d9c41db1fd6447a92efd9fb94be2b705ab5ca28e69c531bdd108

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.4MB

      MD5

      255750fa2595052c746f4fe49c81647b

      SHA1

      edcf247762ccde5267883ec3a47f2fb3334fca33

      SHA256

      5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5

      SHA512

      b9a3f4961090338300b3addfaac7755f4b915ee4d841d001d937663a79f73881a6601c13f38b915e5272e5afc30463ac78fe5fe441fa8dfe852e008367454cd3

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.4MB

      MD5

      255750fa2595052c746f4fe49c81647b

      SHA1

      edcf247762ccde5267883ec3a47f2fb3334fca33

      SHA256

      5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5

      SHA512

      b9a3f4961090338300b3addfaac7755f4b915ee4d841d001d937663a79f73881a6601c13f38b915e5272e5afc30463ac78fe5fe441fa8dfe852e008367454cd3

      Download Submit
    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.4MB

      MD5

      255750fa2595052c746f4fe49c81647b

      SHA1

      edcf247762ccde5267883ec3a47f2fb3334fca33

      SHA256

      5c09578946ee66b6565d343a1575cd663ce5d95880f83965f67e7b20d31e9ab5

      SHA512

      b9a3f4961090338300b3addfaac7755f4b915ee4d841d001d937663a79f73881a6601c13f38b915e5272e5afc30463ac78fe5fe441fa8dfe852e008367454cd3

      Download Submit
    • memory/1516-134-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/1516-139-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/3136-141-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/3136-157-0x0000000000400000-0x0000000000447000-memory.dmp
      Filesize

      284KB

      Download
    • memory/3136-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-150-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3460-147-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3460-146-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3460-158-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3460-143-0x0000000000400000-0x000000000043F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3460-142-0x0000000000000000-mapping.dmp
      Download