Overview

overview

8

Static

static

02640f2a71...8e.exe

windows7-x64

8

02640f2a71...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 04:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe

  • Size

    690KB

  • MD5

    adcaa924811a0fe41126f8c12349c7cc

  • SHA1

    f6591b78a64f5815ddca7f58868fdd253ae1b964

  • SHA256

    02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e

  • SHA512

    d4d49e51aa59693d65697bc91c2c8cee0f5aecc65cd5419552bb27d1798aab6ba2cacc086a8ec3fa865115d090d4d6bda889a45df8e840513a2d7db6ef3065ad

  • SSDEEP

    12288:xC/6UNEwQIJnv+PfT5YYdMqpqhZVt75eMUKYX3SjVUujECfhpmDff9w3d7S:xSNN5bI3tuVtNhYX3qzQzadS

Score
8/10
evasionpersistenceupx

Malware Config

Signatures

  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe
    "C:\Users\Admin\AppData\Local\Temp\02640f2a7121d7bf1ac55ddb5fa44bbaaadb76cc00925555a506a52639fcaf8e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\svcr.exe
      "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1464
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1940
      • C:\Windows\svcr.exe
        "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\svcr.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
          4⤵
            PID:1840
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:1780
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
          3⤵
          • Modifies registry key
          PID:240
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
          PID:2036
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            3⤵
            • Modifies registry key
            PID:896
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          2⤵
            PID:1812
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              3⤵
              • Modifies registry key
              PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            2⤵
              PID:288
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                3⤵
                • Modifies registry key
                PID:884
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
              2⤵
                PID:1632
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                  3⤵
                  • Modifies registry key
                  PID:1856
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                2⤵
                  PID:1652
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                    3⤵
                    • Modifies registry key
                    PID:1876
              • C:\Windows\SysWOW64\DllHost.exe
                C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                1⤵
                • Suspicious use of FindShellTrayWindow
                PID:1188

              Network

              • flag-unknown
                DNS
                api.bing.com
                IEXPLORE.EXE
                Remote address:
                8.8.8.8:53
                Request
                api.bing.com
                IN A
                Response
                api.bing.com
                IN CNAME
                api-bing-com.e-0001.e-msedge.net
                api-bing-com.e-0001.e-msedge.net
                IN CNAME
                e-0001.e-msedge.net
                e-0001.e-msedge.net
                IN A
                13.107.5.80
              • 204.79.197.200:443
                ieonline.microsoft.com
                tls
                IEXPLORE.EXE
                707 B
                 7.6kB
                 8
                11
              • 8.8.8.8:53
                api.bing.com
                dns
                IEXPLORE.EXE
                58 B
                 134 B
                 1
                1

                DNS Request

                api.bing.com

                DNS Response

                13.107.5.80

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D714521-6FC4-11ED-9738-7E4CDA66D2DC}.dat
                Filesize

                5KB

                MD5

                ec8c6f509aadac84efcd8752fe0fcee8

                SHA1

                ebfbab2cd78181577354f3469095c60cd8c79cf4

                SHA256

                5930884f70556b9183c7318297d4054edb000e86e22db7427f992d45acdc555e

                SHA512

                d117e5af17701031dcfe9330eeea03d7bbb75d963f578cb97e196c60e5821dd7a2b431c0247d4d8b76179e8f15461424d453eb873fb34ae61263574d938563b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\untitled.bmp
                Filesize

                57KB

                MD5

                aec835cbaea21668eb71dbf7166ebf6e

                SHA1

                80208322929c926951ba2c80a532e2391313360f

                SHA256

                7c2c8b259d483c9c0b67a445b35e032440b3fd0e6b3631c00c22e92116a37874

                SHA512

                32653a113410fdfac25051c428d9b1f93b3471b54f7f64988395b7550992f58c825d0c8bdcb810642455d944f225c913bf2120c3a704e713c0d68581bb1a5400

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QL09NGM2.txt
                Filesize

                601B

                MD5

                c1730c6e68fa25c92e190ff7da94c580

                SHA1

                091f4ddd116789d8d120c4da2404c380ecf348db

                SHA256

                f049e8f4a9209fb3e63672e534f7a7ed82c98040f4a425df72be312601515b07

                SHA512

                42d4a84f27f2bfd4f5c2cdaa67ddd6d4ef3eb8f5fa8465f82e7ae0956f0f72631319f25df3ea48cd92bfc9ce5b9cfef3c58a392dcc5733db71e7e8eab41bc893

                Download Submit

              • C:\Windows\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • \Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • \Users\Admin\AppData\Local\Temp\svcr.exe
                Filesize

                600KB

                MD5

                8a2d783c9c968768694f76d5420d05e6

                SHA1

                b42094c631e5f49e9eaefe69d10c53e42860901a

                SHA256

                2c5504326ad54843d193eec238a949832bce8be35891fc2376e355795ac5ee6c

                SHA512

                2380b91ff9bde0af3d056f31b8f69c9dd1eb4e7e989224ae97fd9ac878bf7155a0c94c72a64e26a3021c65e3c0d83c711dfffe4b212350fb50169b17fd594c0b

                Download Submit

              • memory/1416-63-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1416-91-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1416-66-0x0000000000350000-0x0000000000388000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1416-75-0x0000000000350000-0x0000000000388000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1416-76-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1608-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1608-62-0x0000000003850000-0x000000000390E000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1756-103-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              • memory/1756-104-0x00000000003C0000-0x00000000003F8000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1756-96-0x0000000010410000-0x000000001042E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1756-94-0x00000000003C0000-0x00000000003F8000-memory.dmp

                Filesize

                224KB

                Download

              • memory/1756-93-0x0000000000400000-0x00000000004BE000-memory.dmp

                Filesize

                760KB

                Download

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.