Overview

overview

7

Static

static

8ac3e1817b...f3.exe

windows7-x64

6

8ac3e1817b...f3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe

  • Size

    72KB

  • MD5

    77d22b7e0a9a1fff4a7273bfe4321429

  • SHA1

    45c31bc66f81cdd191324d135b4745bade9503b6

  • SHA256

    8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3

  • SHA512

    ed5881825ca455b153839d73f50300f3adc14983a04bda2ce5e56283c010f96a7b0aab2c1acfb7716369c99e6649dc2f25a231a3275153696b4146f678e4902c

  • SSDEEP

    768:xvfnFrjhZ5xYaIY8bEM9ChqGOmyHKS2c7nWsDfSSg7wjobPcFTf3b6N44444jU:x3N5jMIqGOa8qsWt7GMPMTf3b6t

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe
      C:\Users\Admin\AppData\Local\Temp\8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8ac3e1817b32e2be75d54619b456911f915168af28e9f2e41935c44a92d7b5f3.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
      2⤵
      • Drops file in Windows directory
      PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    181B

    MD5

    6a56a581b2503484cdf4a79c1e7c7566

    SHA1

    8039e6e77101b745ce9b29f3bd4a7762051b6e9f

    SHA256

    615765e1d3c832dcce2aae08c45ee60df68e069e1c87dbd3da0e06dcef6bc42b

    SHA512

    18b60ac465598cd17b10de54abd361e83373b0c4d5e2400352262b32ab0e522f209862e10da283111f3da63bc17214916baf51feb7402b45960b9719d3c0f10e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FPID8JE1.txt
    Filesize

    601B

    MD5

    0519e2bebc07bb5ca2b927c7116abdb4

    SHA1

    e61290d241b724b1ad96182b4c33c71a0270bfe3

    SHA256

    258244bad9f6d2010c46e66aa78242586aff954eef9adda7d5d06232b9284ae4

    SHA512

    680be70916372ac20662e97103ec767e5974015357cfdf39fd4f73944be6209c155a03e20ec217760357a10a7b9df8e6e4af9d9fd37507118c89c4620e0b3ea9

    Download Submit
  • memory/776-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-63-0x00000000004053CE-mapping.dmp
    Download
  • memory/1984-61-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1984-62-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1984-56-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1984-66-0x0000000000402000-0x0000000000405400-memory.dmp
    Filesize

    13KB

    Download
  • memory/1984-67-0x0000000000402000-0x0000000000405400-memory.dmp
    Filesize

    13KB

    Download
  • memory/1984-60-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1984-59-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1984-57-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2028-64-0x00000000760B1000-0x00000000760B3000-memory.dmp
    Filesize

    8KB

    Download