Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28/11/2022, 02:48
General
-
Target
ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d.exe
-
Size
132KB
-
MD5
acdb106a9198ea196969ddba272a460e
-
SHA1
9d246c7c3a0ea14ebe888015596964440606748b
-
SHA256
ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d
-
SHA512
5397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590
-
SSDEEP
3072:fEJ4oxJrPhqrrm8Hj7ijhOHr3QVdAdjdrl2K98gXZsQ45GBdX8ckFQLGLCM:fIXxgGj5M/kFQLGLC
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d.exe"C:\Users\Admin\AppData\Local\Temp\ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\29112022.exe"C:\Users\Admin\29112022.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\vhsrecdc\vhsrecdc.dll3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s c:\Users\Admin\vhsrecdc\vhsrecdc.dll3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5acdb106a9198ea196969ddba272a460e
SHA19d246c7c3a0ea14ebe888015596964440606748b
SHA256ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d
SHA5125397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590
-
Filesize
132KB
MD5acdb106a9198ea196969ddba272a460e
SHA19d246c7c3a0ea14ebe888015596964440606748b
SHA256ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d
SHA5125397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590
-
Filesize
106B
MD595e82e402d75842b9acfb6b6a35458fa
SHA13b40fc4e277564b1f7c35bb9ef5072f2f5931126
SHA256f2635a4317c9a086899079bed035f0ee1e2f12f59b5fb070d5a4f627e57f895d
SHA5121025cfc5963fac8829e3102705303adf1c671a9ac2d255f45b6255f1125c37321bd2d63a232387855ea3b7f8812615c21f6dda0a8d70855d807618a528f5e366
-
Filesize
608B
MD5dcb908a1ebcea1b40b01b03717317e18
SHA17244c56f05d5ab044d6b1d410d72d0f93dbc48d1
SHA256200363b0b9d85840b6710eeb2db1bb0a4565b1b462e84333f4b66635dd7275a6
SHA512d849d240b8117eb28ecaf7679ce8336645a844dc67728bc358e7c1c000154d003081efe893e79aa8ffd6fe234e19a75a523bce32a3e9d5d389364582ff6c6e06
-
Filesize
132KB
MD5acdb106a9198ea196969ddba272a460e
SHA19d246c7c3a0ea14ebe888015596964440606748b
SHA256ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d
SHA5125397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590
-
Filesize
132KB
MD5acdb106a9198ea196969ddba272a460e
SHA19d246c7c3a0ea14ebe888015596964440606748b
SHA256ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d
SHA5125397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590
-
Filesize
8KB