Overview

overview

10

Static

static

ca09090772...da.exe

windows7-x64

8

ca09090772...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca09090772201fbfb8253ea6220394935206e9330782feecff757bb583683bda.exe

  • Size

    361KB

  • MD5

    2073aad9b6842840eeb1e9fc5a3790ed

  • SHA1

    51a0af5f7ee71a82f92020cb0ec1fee221159281

  • SHA256

    ca09090772201fbfb8253ea6220394935206e9330782feecff757bb583683bda

  • SHA512

    762357992fde1e904cc384dbcac01c8a185a8d38f8b99a05e950e5256e059bf87e4acf269f87fdae1357cd2ec257e99ee6862ffcc3e119baecd5892e448845e6

  • SSDEEP

    6144:FflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:FflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca09090772201fbfb8253ea6220394935206e9330782feecff757bb583683bda.exe
    "C:\Users\Admin\AppData\Local\Temp\ca09090772201fbfb8253ea6220394935206e9330782feecff757bb583683bda.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Temp\rqojidusomlgxsrp.exe
      C:\Temp\rqojidusomlgxsrp.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xuqqeaxttp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1984
        • C:\Temp\xuqqeaxttp.exe
          C:\Temp\xuqqeaxttp.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:828
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1624
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • C:\Temp\rqojidusomlgxsrp.exe
    Filesize

    361KB

    MD5

    70ef4a9d09feb667d9777bc68a1fdccf

    SHA1

    8ca83bdfce6e351b8fb4ebc3aa40e4f23e7ad58b

    SHA256

    bb1fec57aba5a8279f567882d10e0997836eac01e581ebdcf870507c0eaae792

    SHA512

    37e7a533f8da4543dd2fc07c7db110611f0d07adadb782d28bee59de4fc7724aa81fbbf75a649d3f98712afc046d8fc040883553518a77eea3a49d93de8e9ffe

    Download Submit

  • C:\Temp\rqojidusomlgxsrp.exe
    Filesize

    361KB

    MD5

    70ef4a9d09feb667d9777bc68a1fdccf

    SHA1

    8ca83bdfce6e351b8fb4ebc3aa40e4f23e7ad58b

    SHA256

    bb1fec57aba5a8279f567882d10e0997836eac01e581ebdcf870507c0eaae792

    SHA512

    37e7a533f8da4543dd2fc07c7db110611f0d07adadb782d28bee59de4fc7724aa81fbbf75a649d3f98712afc046d8fc040883553518a77eea3a49d93de8e9ffe

    Download Submit

  • C:\Temp\xuqqeaxttp.exe
    Filesize

    361KB

    MD5

    f9dd504940d7b5e3ef8828fb3c024a54

    SHA1

    8a95985926dd2fd52b99740c749e5e52be6501c3

    SHA256

    a332c53432626261b4b46a1096596aff6ed1feced849b427ac9643b4653f022b

    SHA512

    316259f34033904d251f20d13c14da3b10991e93780922ccb9783cc27cc17ccc0597812ba8f900167a1d24877e7ecb81dfcd663f813e0c9bcd942a67a36df966

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T0T41VJY.txt
    Filesize

    539B

    MD5

    ab0d904834c5fb7dbd5c3d29a0eb1fc3

    SHA1

    efb39dbf06c7643b1a90861c845cf1ac9e0e2625

    SHA256

    3b500c117af5e2689ccc754509bbfe5a429ab2d930f687fd9f025c7c59d9e7ad

    SHA512

    26abc34922b4c1a83c162ae75b29ee121ecc1608a575f9047402987be0375fd5b1261242d04e70f3a0aeba31a25ae2493714289f8a2739b684af66076bd64572

    Download Submit

  • C:\temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2815f995567c0108d6be1c3d9a074b54

    SHA1

    eb1f4ab8fc7bbda5db79804bd3590b59ecd91402

    SHA256

    c4d0c7064e21d40151f6e237c96c1393ccdadc4312c132495678739fa00fefc0

    SHA512

    40611256face4fd20215644b93f414ca1a147b02f522b07ccf907b7ed3862b0d9d5c51a5143cdd739bd4cb0352760d9a4ad6eb0d5bf91680c25f649da2f1ff86

    Download Submit

  • \Temp\rqojidusomlgxsrp.exe
    Filesize

    361KB

    MD5

    70ef4a9d09feb667d9777bc68a1fdccf

    SHA1

    8ca83bdfce6e351b8fb4ebc3aa40e4f23e7ad58b

    SHA256

    bb1fec57aba5a8279f567882d10e0997836eac01e581ebdcf870507c0eaae792

    SHA512

    37e7a533f8da4543dd2fc07c7db110611f0d07adadb782d28bee59de4fc7724aa81fbbf75a649d3f98712afc046d8fc040883553518a77eea3a49d93de8e9ffe

    Download Submit

  • memory/828-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1984-61-0x0000000000000000-mapping.dmp

    Download