Overview

overview

6

Static

static

66b4e399f9...59.exe

windows7-x64

4

66b4e399f9...59.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    155s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 10:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    66b4e399f9a75d639e4b66fd28d709056dbef5c98ea9c51e0f509e822b3c1659.exe

  • Size

    1.6MB

  • MD5

    b2e91ee183fab1c0fd9dea29398619c3

  • SHA1

    2c831d4d080d741d1ea7651a6bb7f4dc9a400357

  • SHA256

    66b4e399f9a75d639e4b66fd28d709056dbef5c98ea9c51e0f509e822b3c1659

  • SHA512

    823c08684dad9fe9f3cb7efaa2409578e2a36161a3775f059e6cdbec77c0abf4721d4aa5556a774923c94f4fb102040fca81b70cee409f7a6222fb2b22c98a22

  • SSDEEP

    24576:fXih+/sW5YcJpq5cuWLNGXJB152yVOMdWJoNw57297MuT55fsIn:fyh+ZYc76QLIJB/VsD5297V5f

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66b4e399f9a75d639e4b66fd28d709056dbef5c98ea9c51e0f509e822b3c1659.exe
    "C:\Users\Admin\AppData\Local\Temp\66b4e399f9a75d639e4b66fd28d709056dbef5c98ea9c51e0f509e822b3c1659.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.nz92.com/
      2⤵
      • Adds Run key to start application
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd790146f8,0x7ffd79014708,0x7ffd79014718
        3⤵
          PID:1820
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2368 /prefetch:2
          3⤵
            PID:2856
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
            3⤵
              PID:916
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
              3⤵
                PID:3248
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
                3⤵
                  PID:4296
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
                  3⤵
                    PID:4396
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 /prefetch:8
                    3⤵
                      PID:4688
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
                      3⤵
                        PID:5064
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
                        3⤵
                          PID:1824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 /prefetch:8
                          3⤵
                            PID:1268
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                            3⤵
                              PID:2176
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
                              3⤵
                                PID:3940
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
                                3⤵
                                  PID:3888
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:3768
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff659b45460,0x7ff659b45470,0x7ff659b45480
                                    4⤵
                                      PID:4212
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
                                    3⤵
                                      PID:4296
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,10821616501631704466,1157540396622366799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3464 /prefetch:8
                                      3⤵
                                        PID:260
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2896

                                    Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
                                            Filesize

                                            1KB

                                            MD5

                                            9dc6d59c481e182cf65cfc3163301eed

                                            SHA1

                                            e0301b2bd910d264af8dfefb35eb4339a8182f1c

                                            SHA256

                                            dc9aa2ed9de9f8cccfe06bf675d10dcd4578b77d06558a1de694d225f8e0d2a4

                                            SHA512

                                            926721f078da9f14b6e6fc150281342782e9e9813e1b407a9fefc1c8e4b9287f5e62d2163d2d9a5ed6fc215b6e4806f68a3706bcaafadf7316ca4fa22c77dba8

                                            Download Submit

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
                                            Filesize

                                            1KB

                                            MD5

                                            23be8618728cfaa72e3cd1037277d632

                                            SHA1

                                            2410ad09d829734bce0ca5924af56d3f00efd5b9

                                            SHA256

                                            a405f243db3bb620eaf857acb1cb15495a1b179d1ed09d7f610aa0e4d4939688

                                            SHA512

                                            38610f666ce86d9479ce42569d79bc343d5b558ff223bdd7fb45db8213d89d630e431f9507ecb6cbef29d21ce27d5a950e926ff5e4a605317416b3e394d2dfef

                                            Download Submit

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
                                            Filesize

                                            450B

                                            MD5

                                            27e462f99eb9d3b5a56726d68a0ce5b1

                                            SHA1

                                            c803253db72d9fb9263d842cbc16b15cafeff619

                                            SHA256

                                            8d4e64fe4f1bb2fffd3d2cd60ef583d056cb1c17de68d434f00eb8d45f0f5653

                                            SHA512

                                            e3635cfba1b084b20164c5c1dad52cd59b48f92bb0ac1741bf8f6b864967426e21152457dc7600ae5931bbc68343ba3728458fc2aaf02d90e528cf7b6b9f1cdd

                                            Download Submit

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
                                            Filesize

                                            458B

                                            MD5

                                            b40ba145aa12b8e4e71966cecd63bcd3

                                            SHA1

                                            f3e2b17c6c2755a403ef742aac8625cf18cbc95c

                                            SHA256

                                            fe2c085f03da3e513f7423f55f2ce451ca80dbcbcab1a233ae81047a6f9ac177

                                            SHA512

                                            97c24e32707d5e5927ca1d4ee7055ce584c8e993363e35bf173f12b88b89bd5c28b62cbf00e45c6cb8dfc8a030234f54cf0b6fe49e9f15f2425f97b04519b86a

                                            Download Submit