Overview

overview

8

Static

static

aa26d955b2...90.exe

windows7-x64

8

aa26d955b2...90.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    129s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe

  • Size

    190KB

  • MD5

    2a1b085320b311b977c4c02862d76fcd

  • SHA1

    02e00f29130dfa972be70763cdb70cb63d10a65e

  • SHA256

    aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90

  • SHA512

    78d51a9f7178e47959c41dc88e7ed9cbbfcd2223dcdf70cab428903b92c5577a9ab53bebc40694c010bf41e8be19f5b03669a9f06084793ab5d364c2acc3db73

  • SSDEEP

    3072:89NzEfwf32SvZZ+0UxVG/PedD2v+V1b4NMeMRzJ4uf40RLWhX66NsTU/pTC0F0cK:89eYfJvzB6U/qpcMei14uf40xEqCGU/+

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe
    "C:\Users\Admin\AppData\Local\Temp\aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Users\Admin\AppData\Local\Temp\aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe
      C:\Users\Admin\AppData\Local\Temp\aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aa26d955b2a5945e704d48298bd5d7027ef795e682b424829650d854b2873c90.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WQU5VAN9.txt
    Filesize

    601B

    MD5

    9c471da7011c39af96dc00b4f69422c4

    SHA1

    55f3a4c7301e42c3eb9cbc377e51c183c797d40d

    SHA256

    45accb17c2da8e33c00cae0d7fa7b6e5591a7a49cf3787f8475e3978ab71fc2c

    SHA512

    8a1262ba6a5fb032b258ba8414c13fd67778da348f8d61245c879d0e35fc8ae9c1dac39eaac492799392a35e27ff09768782f7d5072cb13ee9a74e424c937c26

    Download Submit

  • memory/1428-55-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1428-74-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1684-61-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1684-60-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1684-58-0x0000000000415CC0-mapping.dmp

    Download

  • memory/1684-73-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1684-57-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1724-65-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1724-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1724-67-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1724-68-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1724-69-0x0000000000416B0E-mapping.dmp

    Download

  • memory/1724-71-0x0000000000402000-0x0000000000416C00-memory.dmp

    Filesize

    83KB

    Download

  • memory/1724-72-0x0000000000402000-0x0000000000416C00-memory.dmp

    Filesize

    83KB

    Download

  • memory/1724-75-0x00000000754E1000-0x00000000754E3000-memory.dmp

    Filesize

    8KB

    Download