Overview

overview

10

Static

static

copia do d...af.exe

windows7-x64

10

copia do d...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 02:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    copia do documento.paf.exe

  • Size

    132KB

  • MD5

    acdb106a9198ea196969ddba272a460e

  • SHA1

    9d246c7c3a0ea14ebe888015596964440606748b

  • SHA256

    ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d

  • SHA512

    5397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590

  • SSDEEP

    3072:fEJ4oxJrPhqrrm8Hj7ijhOHr3QVdAdjdrl2K98gXZsQ45GBdX8ckFQLGLCM:fIXxgGj5M/kFQLGLC

Score
10/10
adwareevasionstealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\copia do documento.paf.exe
    "C:\Users\Admin\AppData\Local\Temp\copia do documento.paf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Users\Admin\29112022.exe
      "C:\Users\Admin\29112022.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Installs/modifies Browser Helper Object
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2640
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\avjraebt\avjraebt.dll
        3⤵
          PID:3320
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /s c:\Users\Admin\avjraebt\avjraebt.dll
          3⤵
            PID:620
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4748

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\29112022.exe
              Filesize

              132KB

              MD5

              acdb106a9198ea196969ddba272a460e

              SHA1

              9d246c7c3a0ea14ebe888015596964440606748b

              SHA256

              ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d

              SHA512

              5397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590

              Download Submit

            • C:\Users\Admin\29112022.exe
              Filesize

              132KB

              MD5

              acdb106a9198ea196969ddba272a460e

              SHA1

              9d246c7c3a0ea14ebe888015596964440606748b

              SHA256

              ffb9ba821cd0568e49e14db738158167c451e4747871339875f47d10e105132d

              SHA512

              5397f6cd799ebb4623e73a5b5ad361977d5508bd3465fd84ce11af6ab2b37eca23e005efde70e84d1ac379373fc0171af722d6741cfd27023680ec1c121f3590

              Download Submit

            • C:\Users\Admin\29112022.tmp
              Filesize

              64B

              MD5

              60e70a9d67465323f659f6dbfd7250c7

              SHA1

              3a91f79a8c4326fd928bc3775cef0f9c71caf77e

              SHA256

              3005b3a88c12d57b51583bc71f33a13a659a4c4e2e3e7ad274775a148f1d26d2

              SHA512

              0c5372f182fd51fbe4acd1e602aa41249250b9c9a2d5b4cf399f220d4ca41ddb07d44f2f9be403285bb5cf8461a7ebe4eaf5c7ddb539a60344db1d4d6727da15

              Download Submit