Overview

overview

8

Static

static

6059819cbb...88.exe

windows7-x64

8

6059819cbb...88.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    114s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 23:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788.exe

  • Size

    500KB

  • MD5

    eb7963c1046d089525b56ba7531d41f3

  • SHA1

    56a2e1c147f863518565d4ad83ee1b4078e35251

  • SHA256

    6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788

  • SHA512

    bdb4e2140fdb47e2a277727005430638c41ca341fbd887bfd149cbb0b8f94cdeedceb628c46a02d0bfb3d6e371ebade26c4da8b0ecb158f40c9156a54d85b75f

  • SSDEEP

    3072:3UXHF76NAzdG6slPV6v1vbpPaJx+NupzWP8OwtVRAi44g:W7VKAdbpaCjkmiK

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788.exe
    "C:\Users\Admin\AppData\Local\Temp\6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Roaming\Surprize.exe
      "C:\Users\Admin\AppData\Roaming\Surprize.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1092
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4jok.com/sms/13/1
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1624

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YKGL4G9S.txt
          Filesize

          527B

          MD5

          541456e799e68e270891f63052934201

          SHA1

          a8ee557895100ffb78e36989709ab06bf9275528

          SHA256

          6bf0516c84f7cae546663025c776888663a81363bb5ad9111f862614e3490fe9

          SHA512

          5e19c89e923a9728f67ffdf41db8e3a3656fe43bcea24be4295afeaa5431ddf0c5ad8db29e7379fda9135be8fbd7346c73bc1fd5b0b9a3e9207409313746bf84

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Surprize.exe
          Filesize

          500KB

          MD5

          eb7963c1046d089525b56ba7531d41f3

          SHA1

          56a2e1c147f863518565d4ad83ee1b4078e35251

          SHA256

          6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788

          SHA512

          bdb4e2140fdb47e2a277727005430638c41ca341fbd887bfd149cbb0b8f94cdeedceb628c46a02d0bfb3d6e371ebade26c4da8b0ecb158f40c9156a54d85b75f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Surprize.exe
          Filesize

          500KB

          MD5

          eb7963c1046d089525b56ba7531d41f3

          SHA1

          56a2e1c147f863518565d4ad83ee1b4078e35251

          SHA256

          6059819cbbef9b02dc164210e2fbfaff04ecfcb9a923a5b750c8ffc0c409c788

          SHA512

          bdb4e2140fdb47e2a277727005430638c41ca341fbd887bfd149cbb0b8f94cdeedceb628c46a02d0bfb3d6e371ebade26c4da8b0ecb158f40c9156a54d85b75f

          Download Submit

        • memory/1092-59-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1092-61-0x000007FEF2CC0000-0x000007FEF3D56000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1092-62-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1092-63-0x0000000000396000-0x00000000003B5000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1756-54-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1756-55-0x000007FEF2CC0000-0x000007FEF3D56000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1756-60-0x0000000000A56000-0x0000000000A75000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1756-64-0x0000000000A56000-0x0000000000A75000-memory.dmp

          Filesize

          124KB

          Download