Analysis

  • max time kernel
    107s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 15:20

General

  • Target

    eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1.exe

  • Size

    1.3MB

  • MD5

    e969721bbcbbaecaf72ab2bc214cb9c1

  • SHA1

    50fb570b74d03bc5ac25c8b4972249360fac711a

  • SHA256

    eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

  • SHA512

    64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

  • SSDEEP

    24576:3tb20pkaCqT5TBWgNQ7aKC0N39gKSKLb2sr5wUCsNOLJ6A:0Vg5tQ7aKdN3KKS2b2sr5b5O5

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1.exe
    "C:\Users\Admin\AppData\Local\Temp\eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1.exe"
    1⤵
    • Loads dropped DLL
    • NTFS ADS
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Roaming\9736.exe
      "C:\Users\Admin\AppData\Roaming\9736.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • NTFS ADS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\SysWOW64\WerFault.exe"
        3⤵
          PID:332
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WerFault.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:768
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1692

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\r
      Filesize

      1KB

      MD5

      8db5d85d4e4fdd5502d657ac2f777304

      SHA1

      c0e5a0782cf843aa2e82c36a1df367d8ea5c03d4

      SHA256

      af005b46e08dddc9820363673bc425500f5ed7ab5c30f26f3ce273b8f9971f5c

      SHA512

      acc00a26d8177723fe8c8caf413e88d72c446d9a56d459b8748102a90cbfb1a56e9df9c2d7db40eb5b6d4888ec9519e7af715d23644d99ceb33fd0c8081835ff

    • C:\Users\Admin\AppData\Local\Temp\rr
      Filesize

      496KB

      MD5

      93ed2434324660e891edd06cf238731f

      SHA1

      f7790a13ee6abbc1a06b811a5ed242e80094daec

      SHA256

      fa2601aa41afbde218085ce6ebc685aa994f44031369ee0fbc0346241bc3cc8c

      SHA512

      514fcc6327affd7c772a1b3703b5c8b0c401bbe26eb78ee0fd0ddaaf8ec37d79568b6d081851758f0aabc9485d50fae44b7f5976b7690e4944ec54f01e9ab4ea

    • C:\Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • C:\Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PNDN4XTB.txt
      Filesize

      603B

      MD5

      514a4ea1c85252fd62ae0ec6a1aa47c1

      SHA1

      59634d501ac63119b3c8da5d8761902e623f4573

      SHA256

      f9b36e8c8731e1f9af15c1ccc5f3e5b9c57ba767bc63e873d72865f0baa2f74c

      SHA512

      6ca9bc04ef75903d0929a3f2f45a318fa90cd59c1ef7ba3f4b40bbcdf9612441315835f2fa100209916ecae861e5be91960e81860a7a68dd87b5afa2ef1c441d

    • \Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • \Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • \Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • \Users\Admin\AppData\Roaming\9736.exe
      Filesize

      1.3MB

      MD5

      e969721bbcbbaecaf72ab2bc214cb9c1

      SHA1

      50fb570b74d03bc5ac25c8b4972249360fac711a

      SHA256

      eed34df5ae4ba41952148c118e306bc522dd3248a8f288e7d0eacd32d61911b1

      SHA512

      64f06ffa75d3d908e15bca45b7cbb08f40e9172fb830119cc9686220a17c2b362189c96f1308f126799b0083ad9d39212da232169480c368d848913df3e7e9f7

    • memory/332-65-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

    • memory/332-66-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

    • memory/332-68-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

    • memory/332-69-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

    • memory/332-70-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

    • memory/332-71-0x0000000000479FFE-mapping.dmp
    • memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp
      Filesize

      8KB

    • memory/1428-59-0x0000000000000000-mapping.dmp