Overview

overview

10

Static

static

af6fab41d6...17.exe

windows7-x64

8

af6fab41d6...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe

  • Size

    361KB

  • MD5

    fd6e677e34a77ee85aee3df8382bce73

  • SHA1

    e26bf77728ddaa3e2634281d9b7fd6c149353da7

  • SHA256

    af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817

  • SHA512

    ad6e02e2a8eea4716c1827412313021af2ce25cc8948461e9e88e4e0a64c9c7eea3dfd9ba8586ecc35fb50bff8cac9a0e950bcedc5cd6802c4b8ceeedca946cf

  • SSDEEP

    6144:CflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:CflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe
    "C:\Users\Admin\AppData\Local\Temp\af6fab41d6cd4f27bc30a6348989cf7ce77a36f5ceae46851b38222c9763e817.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Temp\rqomlbzxwusjhfec.exe
      C:\Temp\rqomlbzxwusjhfec.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\khyvronkgc.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:912
        • C:\Temp\khyvronkgc.exe
          C:\Temp\khyvronkgc.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:908
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1956
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • C:\Temp\khyvronkgc.exe
    Filesize

    361KB

    MD5

    c84336a50b017b0ef8ab11992fc58b0d

    SHA1

    3e11d23486156909923ec1dc19e0c44d5c36d330

    SHA256

    2e62018d05c6afdc9ef00a07461c6b06d052dac6b426f9e7cd02bdfa92b8763a

    SHA512

    4f9620cbffed8461968be68174c51dca5bb67b0c6e145e174457f16cb8c6259488aee6c303d3e6d335726a87fb8e3a7a99368007c19c036430210b38d642b44c

    Download Submit

  • C:\Temp\rqomlbzxwusjhfec.exe
    Filesize

    361KB

    MD5

    cbebed3c1d646568a0d3cabaaff25ee6

    SHA1

    3dc85c0d5cc5b7ddf3ba4872964fafab189aedeb

    SHA256

    83349341708eb28b50b9f236047a11b46c5d125d14aee47865324a5b61bfb184

    SHA512

    d8dac917904e56167a19f19cb60b78f8f6aaf1fa76755e062dfe0d2235137558ba63a8cbe0ae7486a0fa39f88092c7ced24f55c58ad1fbe4ecea9f65b0c3b757

    Download Submit

  • C:\Temp\rqomlbzxwusjhfec.exe
    Filesize

    361KB

    MD5

    cbebed3c1d646568a0d3cabaaff25ee6

    SHA1

    3dc85c0d5cc5b7ddf3ba4872964fafab189aedeb

    SHA256

    83349341708eb28b50b9f236047a11b46c5d125d14aee47865324a5b61bfb184

    SHA512

    d8dac917904e56167a19f19cb60b78f8f6aaf1fa76755e062dfe0d2235137558ba63a8cbe0ae7486a0fa39f88092c7ced24f55c58ad1fbe4ecea9f65b0c3b757

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0V8AAYD8.txt
    Filesize

    535B

    MD5

    aaac07821b8ecb4dc108ad9647e15098

    SHA1

    4280a2905a280ac60607eb2c263a68b426527c65

    SHA256

    d8be85a5c0f5ffb5690fdbb9dca5be87dbc0983f8a4e28f400390019fa024cf7

    SHA512

    9cd6b797a8a14d5629c5ec2395a9e1119398149b04c1d1828479b227feefd4b6a96d8b870a72ff4bb90f2c30fd587f406a61adc9c1f770437feb138152e3bc25

    Download Submit

  • C:\temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    2abf3db1cf2ecd52bae2a855a1f61394

    SHA1

    e4478dc5a5eb1f0610c6ed924966d7eab5c27830

    SHA256

    f2d847f4306069650bb5435264d3f5cd7e8af6a49199fb08d7aecd3e9a9c1c80

    SHA512

    255501af4e2bb1f300ec4ba38c00a3b64f760d90268530cea79f55315787b017ec4a5e5f18c2d2c2e05454bab4123f0fe443bf8eed500a6483338d22d0296cdd

    Download Submit

  • \Temp\rqomlbzxwusjhfec.exe
    Filesize

    361KB

    MD5

    cbebed3c1d646568a0d3cabaaff25ee6

    SHA1

    3dc85c0d5cc5b7ddf3ba4872964fafab189aedeb

    SHA256

    83349341708eb28b50b9f236047a11b46c5d125d14aee47865324a5b61bfb184

    SHA512

    d8dac917904e56167a19f19cb60b78f8f6aaf1fa76755e062dfe0d2235137558ba63a8cbe0ae7486a0fa39f88092c7ced24f55c58ad1fbe4ecea9f65b0c3b757

    Download Submit