Overview

overview

8

Static

static

7a4e2dff7a...7d.exe

windows7-x64

8

7a4e2dff7a...7d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe

  • Size

    437KB

  • MD5

    d305c00acc4cd962dfd2ab69c3d9fbda

  • SHA1

    adf57e2f7555badf5467c127e138de49a58cfb2b

  • SHA256

    7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d

  • SHA512

    a8eb88507e124fa66fa1cb420e69c86b45f584f8f55281d25d9daf3b33017e06effcf5ea17421b6990d48107617cc0cd2dc3eda6786128b5f68efe808d6ecc01

  • SSDEEP

    6144:FCOoWSuTpRMgDtvAP+2PqdAdeF54hFNE9cZQ5XR7nyHOshfXR7nyHOsh:FyuTpRJvAP7ydAdeohxQ5ByusdByus

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4e2dff7aee5b415be14e733547e34d9f8b9357433e821b171791a4e213937d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
      "C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WORM.EXE.EXE&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:240
    • C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
      "C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
    Filesize

    224KB

    MD5

    c32a647e5267d256d848afeef2fec541

    SHA1

    7804edc0904f221bc775245956132044a45ae3f4

    SHA256

    f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3

    SHA512

    24dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
    Filesize

    224KB

    MD5

    c32a647e5267d256d848afeef2fec541

    SHA1

    7804edc0904f221bc775245956132044a45ae3f4

    SHA256

    f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3

    SHA512

    24dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ZXZ.EXE
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5K6P7NAJ.txt
    Filesize

    539B

    MD5

    59b5967606959da9857c7c5657857b4e

    SHA1

    23f9fafb5d9b7bcff69bfef1fd85c59e348aeeb0

    SHA256

    ce5d65ec729c7c02c12cc4ef42377d223a96322afdf32f54da1163222aaa1e74

    SHA512

    aadddbbc5a4d8df755e4fd81ab560bb9586f4fa6e3281474e0e8cb946cf25d978134de20f152e5542fab6aba544f8827d8ed1031a126141e6afbfcb461194fee

    Download Submit
  • \Users\Admin\AppData\Local\Temp\WORM.EXE.EXE
    Filesize

    224KB

    MD5

    c32a647e5267d256d848afeef2fec541

    SHA1

    7804edc0904f221bc775245956132044a45ae3f4

    SHA256

    f233c11d12b0636c53fee2c068af95d4a20a184e560820a226bfc803bde740e3

    SHA512

    24dacb9a901cbaa13395669ae1cb572fd31abca07287c74094fd4f5e37144bfa7ec6abd79b758b13910b7b5583832f3b92a37dbdf34e32e09df60a521ff40362

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ZXZ.EXE
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • \Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    129KB

    MD5

    6d016b4211d51618831cff6d5a142783

    SHA1

    b98898da9e032320a3e38541d5f54de6bd34cbfa

    SHA256

    607efe27b04897f879dd7646b9acb30434b3550abba5da5ea1ce0393c15c1e8b

    SHA512

    c3be048092df8f6f6872673adc8422ade38d58df2d01fb2447bf3b5cc6eb1d7d2539d3cf24a7140b01b06d9bb550e866e8542b5bfd662462a7e952a5a876f639

    Download Submit
  • memory/956-59-0x0000000000000000-mapping.dmp
    Download
  • memory/956-70-0x0000000074200000-0x00000000747AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1132-54-0x0000000075931000-0x0000000075933000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1648-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-74-0x0000000074200000-0x00000000747AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1648-76-0x0000000074200000-0x00000000747AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1728-71-0x0000000000400000-0x0000000000464000-memory.dmp
    Filesize

    400KB

    Download
  • memory/1728-75-0x0000000000400000-0x0000000000464000-memory.dmp
    Filesize

    400KB

    Download
  • memory/1728-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-72-0x0000000000000000-mapping.dmp
    Download