Overview

overview

8

Static

static

8

8a7e04f1a4...e6.exe

windows7-x64

8

8a7e04f1a4...e6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    72s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a7e04f1a48e82e73027733bc04a28356716a6cf3acc5677f5b9a99de244afe6.exe

  • Size

    328KB

  • MD5

    b564ff491a9d1d7cdeffb2f7348df2af

  • SHA1

    fc1555103d25bba376d2ec7f2a8c092500131e15

  • SHA256

    8a7e04f1a48e82e73027733bc04a28356716a6cf3acc5677f5b9a99de244afe6

  • SHA512

    49598cb5be45aac41b1f715aa20a2e3b735edeedd51c5fe13e9b26f9f2f1b35cd21db682dd2dc9681317e95b8f7e9e42b147a43563ed3ac9630a62a0ec3b6a75

  • SSDEEP

    6144:tDRRSSgvVaoteY9reiN9GD7SE7NO56UNbY5bg4bntmTTd9ui0qC:Ni/asVPNK55O56URYl9T2uixC

Score
8/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a7e04f1a48e82e73027733bc04a28356716a6cf3acc5677f5b9a99de244afe6.exe
    "C:\Users\Admin\AppData\Local\Temp\8a7e04f1a48e82e73027733bc04a28356716a6cf3acc5677f5b9a99de244afe6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://yy.duowan.com/go.html#6625
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    1c7d353d436727f12766a8f3ab5032b1

    SHA1

    15d045967ce27e7067aa800130068f0a31f5dd7c

    SHA256

    ad702725af38b78506e206940a00a8e09b974cc39cafc9c84c4a156c4b2f28c5

    SHA512

    df6e3b820bf7589e847abc470671ff56a175d87861f36299bab6af26d072d60394b1c421f1df52a1e51c7b6b7e1311c3c416b091c0620539c832c5b2f7d69c85

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\834Y9BUP.txt
    Filesize

    603B

    MD5

    d11bc88643f054ec3436d610b9acfdfe

    SHA1

    89e4b5f57aca448fdc3a4dbb2c589bd7b383a4bd

    SHA256

    387eaf07a800f60b098dcf661d819a1d639350bb32156319a9001306347f6308

    SHA512

    47a93854c54ba8c5afce0e24e85c57a1f3aefee5a16c3178224777cc3e23aee528577ed6c34df15e6991e5f2a9b29c6401b9b51b0425dc353c9c6892fdc2d10a

    Download Submit
  • memory/1400-54-0x0000000000400000-0x00000000004FD000-memory.dmp
    Filesize

    1012KB

    Download
  • memory/1400-55-0x0000000075571000-0x0000000075573000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1400-56-0x0000000000400000-0x00000000004FD000-memory.dmp
    Filesize

    1012KB

    Download
  • memory/1400-59-0x0000000000400000-0x00000000004FD000-memory.dmp
    Filesize

    1012KB

    Download
  • memory/1400-60-0x0000000000400000-0x00000000004FD000-memory.dmp
    Filesize

    1012KB

    Download