Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30-11-2022 01:34
General
-
Target
0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
-
Size
2.5MB
-
MD5
bab923da922c592e4138b88a402add32
-
SHA1
5927bed5f9a41a82b6c5b91175ef5bb396a1f17c
-
SHA256
0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71
-
SHA512
6c74a6ab914d4f5474450f223020e49658dca756a7769329ccd23d2560121d212474382541a022533b19d5acb5693d2a2576134aafa47ff1f4ab2aa5088c87b7
-
SSDEEP
49152:VSVJcb9RglAw8js3duEFxNWwKhvzJWNNERSxgNVnJ/hewok+hN6mDKU:VSaIA/stWwkvzJWn+ygNVndhewok+hN3
Malware Config
Signatures
-
CryptOne packer 3 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe"C:\Users\Admin\AppData\Local\Temp\0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.ailili.info/c/c.html?http://go.microsoft.com/fwlink/?LinkId=691572⤵
- Modifies Internet Explorer settings
-
C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exeC:\CF唯爱稳定透视十字准心稳定版09月22SP2.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.6655.la/url.htm?new_0_http://go.microsoft.com/fwlink/?LinkId=69157_http://www.91duote.info/?w12⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.t6t8.com/fuzhu.html?g2⤵
- Modifies Internet Explorer settings
-
C:\ProgramData\Msgbox.exeC:\ProgramData\Msgbox.exe /97sky2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exeFilesize
2.3MB
MD583f94619c080a23698b38b200ef84c77
SHA1171a44608b2e8d6b5ca0ed9c94bb73d1fd3932e9
SHA256e214a8d61d25bcf3973b4e762baa3b7bba8ade5783a88f34845465ad06c5aa4e
SHA5125e6e1241860d0f763d49ef24b9790cde7c5d2f69df0b32adb3364bc9d1b587266dcd58abeac3e86dc9efe8b62e79928c52982c098c5d600e841e1c876c5934ce
-
C:\ProgramData\Msgbox.exeFilesize
273.0MB
MD56c0ad6e0854d652f53f36efcaa704c7e
SHA1ab238df9335398d901d02adc975895659fd8c18a
SHA2563316744b6fe73e52dd7f332674e5b916ca4570daa636ff63a0e037c1ca9e4961
SHA51205ff94d1dd986062e8aeeac085c07e7f9ed6562adfdd154665d50906d32f9ef8e36c0f76415661879de3e9a0799d379a9c441e9613d5d56685b966cff453364f
-
C:\ProgramData\Msgbox.exeFilesize
269.8MB
MD52a50a504bd292b917ae0b2de7bedbea0
SHA1f7434776f219e968a9d35530b91ef7c32a1a45ae
SHA256a2795fe880a34c89c9c3262bdcf1ac2a57646579638ac205f913ed3f4d226cb6
SHA512c0723df55908c0002d4ba4e611b94932eb40df6faae8c6b740480553cc0d3d26ec76c15cfe1389b685f2784ae015d5a356956958f4657fb877b5fccd05f40d41
-
\ProgramData\Msgbox.exeFilesize
258.4MB
MD54b4bb8008c3bbc44a5c5a928b62a8c10
SHA1f42060079c01f281688251d1aba30f75e6237284
SHA25614178c16056342b780fecbcd7c92d276f665b392e2b0c48a61e62be65da61f43
SHA512d1c4a9303a6a6e9052418c54e94792f339c60c5779c32467a48f47f56ee9de045cc43ffc9fe99c09442e21d2a371ea492149ef2208b7709dfc2ea3045b7d5e84
-
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1184-55-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1184-122-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1184-115-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1184-112-0x00000000036E0000-0x000000000399E000-memory.dmpFilesize
2.7MB
-
memory/1184-111-0x00000000036E0000-0x000000000399E000-memory.dmpFilesize
2.7MB
-
memory/1712-124-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1712-119-0x0000000000000000-mapping.dmp
-
memory/1788-92-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-110-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-69-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-76-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-74-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-78-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-80-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-82-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-84-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-86-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-90-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-88-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-70-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-96-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-94-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-98-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-100-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-72-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-108-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-106-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-104-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-102-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-68-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-67-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-113-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-114-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-65-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-116-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-117-0x0000000010000000-0x000000001003D000-memory.dmpFilesize
244KB
-
memory/1788-64-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-62-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-60-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-61-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-59-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1788-56-0x0000000000000000-mapping.dmp
-
memory/1788-125-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB