Overview

overview

8

Static

static

02640f2a71...8e.exe

windows7-x64

8

02640f2a71...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe

  • Size

    690KB

  • MD5

    adcaa924811a0fe41126f8c12349c7cc

  • SHA1

    f6591b78a64f5815ddca7f58868fdd253ae1b964

  • SHA256

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e

  • SHA512

    d4d49e51aa59693d65697bc91c2c8cee0f5aecc65cd5419552bb27d1798aab6ba2cacc086a8ec3fa865115d090d4d6bda889a45df8e840513a2d7db6ef3065ad

  • SSDEEP

    12288:xC/6UNEwQIJnv+PfT5YYdMqpqhZVt75eMUKYX3SjVUujECfhpmDff9w3d7S:xSNN5bI3tuVtNhYX3qzQzadS

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
    "C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\svcr.exe
      "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1464
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1940
      • C:\Windows\svcr.exe
        "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
          4⤵
            PID:1840
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:1780
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:240
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
          PID:2036
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            3⤵
            • Modifies registry key
            PID:896
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          2⤵
            PID:1812
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
              PID:288
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                3⤵
                • Modifies registry key
                PID:884
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              2⤵
                PID:1632
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                  3⤵
                  • Modifies registry key
                  PID:1856
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                2⤵
                  PID:1652
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                    3⤵
                    • Modifies registry key
                    PID:1876
              • C:\Windows\SysWOW64\DllHost.exe
                C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                1⤵
                • Suspicious use of FindShellTrayWindow
                PID:1188

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D714521-6FC4-11ED-9738-7E4CDA66D2DC}.dat
                Filesize

                5KB

                MD5

                ec8c6f509aadac84efcd8752fe0fcee8

                SHA1

                ebfbab2cd78181577354f3469095c60cd8c79cf4

                SHA256

                5930884f70556b9183c7318297d4054edb000e86e22db7427f992d45acdc555e

                SHA512

                d117e5af17701031dcfe9330eeea03d7bbb75d963f578cb97e196c60e5821dd7a2b431c0247d4d8b76179e8f15461424d453eb873fb34ae61263574d938563b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\untitled.bmp
                Filesize

                57KB

                MD5

                aec835cbaea21668eb71dbf7166ebf6e

                SHA1

                80208322929c926951ba2c80a532e2391313360f

                SHA256

                7c2c8b259d483c9c0b67a445b35e032440b3fd0e6b3631c00c22e92116a37874

                SHA512

                32653a113410fdfac25051c428d9b1f93b3471b54f7f64988395b7550992f58c825d0c8bdcb810642455d944f225c913bf2120c3a704e713c0d68581bb1a5400

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QL09NGM2.txt
                Filesize

                601B

                MD5

                c1730c6e68fa25c92e190ff7da94c580

                SHA1

                091f4ddd116789d8d120c4da2404c380ecf348db

                SHA256

                f049e8f4a9209fb3e63672e534f7a7ed82c98040f4a425df72be312601515b07

                SHA512

                42d4a84f27f2bfd4f5c2cdaa67ddd6d4ef3eb8f5fa8465f82e7ae0956f0f72631319f25df3ea48cd92bfc9ce5b9cfef3c58a392dcc5733db71e7e8eab41bc893

                Download Submit

              • C:\Windows\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • \Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • \Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • memory/1416-63-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1416-91-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1416-66-0x0000000000350000-0x0000000000388000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1416-75-0x0000000000350000-0x0000000000388000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1416-76-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1608-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1608-62-0x0000000003850000-0x000000000390E000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1756-103-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1756-104-0x00000000003C0000-0x00000000003F8000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1756-96-0x0000000010410000-0x000000001042E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1756-94-0x00000000003C0000-0x00000000003F8000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1756-93-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download