Overview

overview

8

Static

static

b26efaf760...c7.exe

windows7-x64

8

b26efaf760...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe

  • Size

    3.7MB

  • MD5

    59f973362a017d73908f1b5e644b3e92

  • SHA1

    7587ec3ccb0f63f2d454d39f96a9888d6b29e3fe

  • SHA256

    b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7

  • SHA512

    9e58ad431d75f1586f43a1c31f95ddef22c68cdf6f83e41af146ab8c562e41488558f463a24d65c627ab16180add38137ca68e48620b7592b7dd621760c36765

  • SSDEEP

    49152:GKONXlQJ6NB9gA+FnLl3CeMwFZ0+TmM3HuETOsmVF8I8fD9vxBtCKd9EZ:oNJH+xLtCGtirsmb8vRZBLYZ

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe
    "C:\Users\Admin\AppData\Local\Temp\b26efaf760bce49571ac68ca8a086e56cf411a0098ab6fd92dc76427ed1638c7.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\18DJQUYc.exe
        C:\18DJQUYc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
      "C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe"
      2⤵
      • Executes dropped EXE
      PID:1440
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://bbs.waig8.com/forum.php?mod=forumdisplay&fid=80
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1392
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://shop110665107.taobao.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1148 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:308
    • C:\Windows\empty.exe
      C:\Windows\empty.exe 1056
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\18DJQUYc.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • C:\18DJQUYc.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d3d688145861a51948e0151f0b1c5fea

    SHA1

    bbf83a3d2acda7bb6dd80139dc57a5ebaeb2bacb

    SHA256

    7d666791471bbc616d120e3004a86318637473032d2c157a141c9a91e5320e69

    SHA512

    40268a895be74f43cb507347a215c39af4750decf991d7c8298c33f9c36ae9d4789f77cb97f99b3899ad47e2fc240d05d279f8aea517ee5e1cd5a916011cb964

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8DBB0C1-6F42-11ED-AD72-5E7A81A7298C}.dat
    Filesize

    5KB

    MD5

    7d5765897408f8944e95ccb6fed90540

    SHA1

    e1ef7f68bdd0b0968028187f4107fcaeb20650b2

    SHA256

    413c86cba8f0d07baaabd4f752bd941a12990c7f774b5d9193d5096187bdda11

    SHA512

    8c1f8ffb025cb3566578c1f6d1f40688f7d722a5b0a0be89d475139c373aa12e4f81e1ec95517ccf1acae92a95de847cb99e3a1d12ae2044c9f08f5561699e09

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8E07381-6F42-11ED-AD72-5E7A81A7298C}.dat
    Filesize

    4KB

    MD5

    53fd0ccfa3da7e6c272adabba4b1c869

    SHA1

    1d6a92759cddb59b5deb83832e5acdd56e47d1c4

    SHA256

    d499eea2372e787e4391c5f5d1fca97fb2c9f42ea8a9f28f07fb340bd8fd9bb0

    SHA512

    c0a0e2766aa2d46df120eb6c7b1383ef0be8b22af78c154bbaf46e38f927a04869dcf2b5165d84ba9574d1ac8bdcd400183006433b8281a9fc8c8f592f6ee3ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    20KB

    MD5

    1a0c8cd17996c695939fe80621f88fc0

    SHA1

    b2bb494767fcaeb0316bd3ae690404f5ed5a24be

    SHA256

    6d64ae491f5b979244956928735c37af674be80f9faf66884f6b47c635d4c446

    SHA512

    6fdff83d1b09150662e83ce926d54fc33c12ff17e254d00125e8c392591a8338d92dfdd4bc71d85f4ab818c43ebea15c997d6334395f36bbd87d3662629d645c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X58ZQ6RW.txt
    Filesize

    603B

    MD5

    495953a40e545bf880fd6f24c8cdc425

    SHA1

    16ae94275719028ed23e23258a091c534c5f18ee

    SHA256

    9f08ee593672f1894ed91fb0d1d3477ec73831ad98c494134333afa75599ec8b

    SHA512

    6b3c11ada4bfdbdaebca98d3098e5d15807f8369b4c11a7338801ccdb2ac276acd26a179b479a3a4be4a1d9527ddca3c7f8b29891626d28f4c9bb50924cac87f

    Download Submit

  • C:\Windows\empty.exe
    Filesize

    9KB

    MD5

    523d5c39f9d8d2375c3df68251fa2249

    SHA1

    d4ed365c44bec9246fc1a65a32a7791792647a10

    SHA256

    20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

    SHA512

    526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Q³è´óÀÖ¶·.exe
    Filesize

    680KB

    MD5

    80ce85ebf76d47cf796e9dc816f5dcba

    SHA1

    d70c7591a9af0e3ce93ac04caff050982b9c1932

    SHA256

    9c26d02e74a1f8c385e78a86dc47934ba715f2e6dbbf629624fb6c1a7e1a3600

    SHA512

    091d10a63c5bdd2c00471f34ffa7b8b473d5c175660d1e3c8b2ebecbef3bef703fa7b22d16f3e4e82484b9891008a0da50fa2006f8ff06fc3b6c9c981c2f47d2

    Download Submit

  • memory/1056-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

    Filesize

    8KB

    Download