Overview

overview

8

Static

static

b26efaf760...c7.exe

windows7-x64

8

b26efaf760...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 18:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe

  • Size

    3.7MB

  • MD5

    59f973362a017d73908f1b5e644b3e92

  • SHA1

    7587ec3ccb0f63f2d454d39f96a9888d6b29e3fe

  • SHA256

    b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7

  • SHA512

    9e58ad431d75f1586f43a1c31f95ddef22c68cdf6f83e41af146ab8c562e41488558f463a24d65c627ab16180add38137ca68e48620b7592b7dd621760c36765

  • SSDEEP

    49152:GKONXlQJ6NB9gA+FnLl3CeMwFZ0+TmM3HuETOsmVF8I8fD9vxBtCKd9EZ:oNJH+xLtCGtirsmb8vRZBLYZ

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
    "C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\18DJQUYc.exe
        C:\18DJQUYc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      "C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe"
      2⤵
      • Executes dropped EXE
      PID:1440
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://bbs.waig8.com/forum.php?mod=forumdisplay&fid=80
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1392
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://shop110665107.taobao.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1148 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:308
    • C:\Windows\empty.exe
      C:\Windows\empty.exe 1056
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:816

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\18DJQUYc.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • C:\18DJQUYc.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d3d688145861a51948e0151f0b1c5fea

          SHA1

          bbf83a3d2acda7bb6dd80139dc57a5ebaeb2bacb

          SHA256

          7d666791471bbc616d120e3004a86318637473032d2c157a141c9a91e5320e69

          SHA512

          40268a895be74f43cb507347a215c39af4750decf991d7c8298c33f9c36ae9d4789f77cb97f99b3899ad47e2fc240d05d279f8aea517ee5e1cd5a916011cb964

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8DBB0C1-6F42-11ED-AD72-5E7A81A7298C}.dat
          Filesize

          5KB

          MD5

          7d5765897408f8944e95ccb6fed90540

          SHA1

          e1ef7f68bdd0b0968028187f4107fcaeb20650b2

          SHA256

          413c86cba8f0d07baaabd4f752bd941a12990c7f774b5d9193d5096187bdda11

          SHA512

          8c1f8ffb025cb3566578c1f6d1f40688f7d722a5b0a0be89d475139c373aa12e4f81e1ec95517ccf1acae92a95de847cb99e3a1d12ae2044c9f08f5561699e09

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8E07381-6F42-11ED-AD72-5E7A81A7298C}.dat
          Filesize

          4KB

          MD5

          53fd0ccfa3da7e6c272adabba4b1c869

          SHA1

          1d6a92759cddb59b5deb83832e5acdd56e47d1c4

          SHA256

          d499eea2372e787e4391c5f5d1fca97fb2c9f42ea8a9f28f07fb340bd8fd9bb0

          SHA512

          c0a0e2766aa2d46df120eb6c7b1383ef0be8b22af78c154bbaf46e38f927a04869dcf2b5165d84ba9574d1ac8bdcd400183006433b8281a9fc8c8f592f6ee3ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
          Filesize

          20KB

          MD5

          1a0c8cd17996c695939fe80621f88fc0

          SHA1

          b2bb494767fcaeb0316bd3ae690404f5ed5a24be

          SHA256

          6d64ae491f5b979244956928735c37af674be80f9faf66884f6b47c635d4c446

          SHA512

          6fdff83d1b09150662e83ce926d54fc33c12ff17e254d00125e8c392591a8338d92dfdd4bc71d85f4ab818c43ebea15c997d6334395f36bbd87d3662629d645c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X58ZQ6RW.txt
          Filesize

          603B

          MD5

          495953a40e545bf880fd6f24c8cdc425

          SHA1

          16ae94275719028ed23e23258a091c534c5f18ee

          SHA256

          9f08ee593672f1894ed91fb0d1d3477ec73831ad98c494134333afa75599ec8b

          SHA512

          6b3c11ada4bfdbdaebca98d3098e5d15807f8369b4c11a7338801ccdb2ac276acd26a179b479a3a4be4a1d9527ddca3c7f8b29891626d28f4c9bb50924cac87f

          Download Submit

        • C:\Windows\empty.exe
          Filesize

          9KB

          MD5

          523d5c39f9d8d2375c3df68251fa2249

          SHA1

          d4ed365c44bec9246fc1a65a32a7791792647a10

          SHA256

          20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

          SHA512

          526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
          Filesize

          680KB

          MD5

          80ce85ebf76d47cf796e9dc816f5dcba

          SHA1

          d70c7591a9af0e3ce93ac04caff050982b9c1932

          SHA256

          9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

          SHA512

          091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

          Download Submit

        • memory/1056-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

          Filesize

          8KB

          Download