Overview

overview

8

Static

static

8ee6e99a1b...1d.exe

windows7-x64

8

8ee6e99a1b...1d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ee6e99a1b8ac02d28db0f30b4375a574edfb6dd43aef6d84aa9d3cb821feb1d.exe

  • Size

    101KB

  • MD5

    3e5e12a10b7f74c7d51de5cc5e166f3b

  • SHA1

    0cea7e03b823c46228ba62c5a7c465ffca409412

  • SHA256

    8ee6e99a1b8ac02d28db0f30b4375a574edfb6dd43aef6d84aa9d3cb821feb1d

  • SHA512

    978cba07a36362753b7a23f17bb5c8aea95aaa83c86eafd111a9c1f83cb469a81839df65c464039da4de3a3f19cc6ce78fc08decdc7d4224fa9999bd2256f48b

  • SSDEEP

    1536:9edHm9yYNetrQnKHTJKqOZ2QjLc9b1Qp/aKiHp64HlQf6o//hOU7wuOG:9eYPe1QmTJK5ZtjLc9xrHprSfHHhOzrG

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ee6e99a1b8ac02d28db0f30b4375a574edfb6dd43aef6d84aa9d3cb821feb1d.exe
    "C:\Users\Admin\AppData\Local\Temp\8ee6e99a1b8ac02d28db0f30b4375a574edfb6dd43aef6d84aa9d3cb821feb1d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\plugtemp\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q48D29GX.txt
    Filesize

    515B

    MD5

    d248846cd93cc9a1fcfc129720951f36

    SHA1

    bcb733ed91d11eecc6f74694701c272d139c20c6

    SHA256

    92a0b8d38ef2bf07f00a6d5f1ab9bc1e7904d1e1ea98906cda5609b3a358b34d

    SHA512

    1820221ef135427d6ec386d2e2cd30ba6c0c85b8521b3f9070e1848a768a1f97232506cec2a87cd8eaf4a5c8b01ad9ab7154f0a68932bc4621569f8a7dc126cf

    Download Submit
  • \Users\Admin\AppData\Local\Temp\plugtemp\svchost.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit
  • memory/1584-54-0x0000000075C81000-0x0000000075C83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1584-55-0x00000000742E0000-0x000000007488B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1584-56-0x00000000742E0000-0x000000007488B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1584-71-0x00000000742E0000-0x000000007488B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1752-64-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1752-65-0x000000000040AB6E-mapping.dmp
    Download
  • memory/1752-63-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1752-68-0x0000000000402000-0x000000000040AC00-memory.dmp
    Filesize

    35KB

    Download
  • memory/1752-69-0x0000000000402000-0x000000000040AC00-memory.dmp
    Filesize

    35KB

    Download
  • memory/1752-61-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1752-59-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1752-58-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download