Overview

overview

8

Static

static

2065ac4d42...6e.exe

windows7-x64

8

2065ac4d42...6e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 10:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2065ac4d426063a6d9c0ec955751a1a14867e3a1b73a91ad25208dec3671a56e.exe

  • Size

    792KB

  • MD5

    50e78782b35bfcf7d32d6545657b4089

  • SHA1

    cfc24ec1025d094da83628151fecf781dfd69fd1

  • SHA256

    2065ac4d426063a6d9c0ec955751a1a14867e3a1b73a91ad25208dec3671a56e

  • SHA512

    56f9ede374babc6c4af9d82a040e7e78ee2f6ad77f72c323e8d1385ceb45693b3bcc5740bcd1a24e739713333a6be525bff010ef0d9c97a8bda16582cb283839

  • SSDEEP

    12288:dbG/winQbx9f7Oy8aidn58gWOINqiwoEyMj:dbQwinUpQd58VOIsiXEn

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2065ac4d426063a6d9c0ec955751a1a14867e3a1b73a91ad25208dec3671a56e.exe
    "C:\Users\Admin\AppData\Local\Temp\2065ac4d426063a6d9c0ec955751a1a14867e3a1b73a91ad25208dec3671a56e.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\Tencenthw.exe
        C:\Windows\system32\Tencenthw.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 924
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1476
    • C:\Users\Admin\AppData\Local\Temp\DNF01Á¬·¢¹¤¾ß.exe
      "C:\Users\Admin\AppData\Local\Temp\DNF01Á¬·¢¹¤¾ß.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" www.nanawg.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:428
    • C:\Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
      "C:\Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:340
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0xc8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2188

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          f5fe2776e916338fd0b7d7f100270a5f

          SHA1

          5fa1b0dad086be790ebac968077709c1549f05ba

          SHA256

          670b948fb1ab5a5c5dfcdd89cd8d508ed347b19ed9d6a3979ef2160d6c748947

          SHA512

          d67a11c612f8c56ba6b791276ce84efabcb686fe870d957124b0d4278b2ec56b5a512023616b5bc7973f11e5c31e28a8a3b1d0e9ca2c30172793cc2560111a09

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          4bcb9b4e8700e3d68becdc5cf2dde0fd

          SHA1

          7c79890b74daac3b7787154fe1270b0a28c127a9

          SHA256

          e359e1b117c30e9c8657d87731d80c657691f41aaa941890afc5d00094dcf515

          SHA512

          982e58b89541be45153c223971bd62d26c125de370a35b0bdb726546a0972d4655d091d31a29a0320c7e46836798755eec2cdc2710f05a3e6bc476fe946cb89e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7b94149e5824d30c6a520addec32ed04

          SHA1

          eea9d9cfcd7a9d3bd0976279ed525e9b880d83bd

          SHA256

          86544bff54f5e3b87c688776030e9aaf103d047b740f264c2c8b5687fdc12c3d

          SHA512

          cefaa2b55c1992ce396e1d2bb3e14577c0528667cab50de9cc53f0ae0f83bd9eb1a6187dfe5136900f6456dfda67738d973ee2bff16e581fffbbf7580d4458af

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
          Filesize

          1KB

          MD5

          9581a87d44ead6eca55fbd4c58c95201

          SHA1

          265a0d13323dc8adf4b71be9dae06c0e255cc8f5

          SHA256

          29e767c5ff558d55195ffe5d873d0aa50d142efca6a131c4d54e111b7d738b96

          SHA512

          f138130a7b84acd3f83135392208581be9243f7673156688497483c8f6baee43e3bbcfb75b8c1abb65ef7e749f68573d675ca1f887f8ed04e36bea14ac54f237

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DNF01Á¬·¢¹¤¾ß.exe
          Filesize

          620KB

          MD5

          818218a13de47277ae018f384f5c25d4

          SHA1

          34284575d27710b39252e66b73c1dcc8852f8b6f

          SHA256

          fe6d4d79d68976973b4c26e861dbe7f3d97e37062781ff28c5b9e0fc7e4f0075

          SHA512

          9312df1f6eb61ace14fada64ea1ded3647ec8be2bd85b610ba4805671e6616e64f07b2d3359d5e8b19b68771c10e1317d1914d3e72f7a1b2a90ef42d145700d5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          80KB

          MD5

          177f093147c38555ca830c266f967a26

          SHA1

          560d9206482e898f73d092fcfdf1777db598cf13

          SHA256

          6c1d97af8a64a20fd7f04c99db4420b55babfb81229704109d46a0d14c40e9d6

          SHA512

          54ed6d51364ae2836e091c7cd51eaf59bf133df2789434f92407ffd70ebcfe25633212a73e0c24e275020185baf9dbb01bca231df225113abc24a2d6adbc258f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AF5DXFFG.txt
          Filesize

          533B

          MD5

          a744b68e72aa96b4494f76d54516a8f3

          SHA1

          2e4f3ab3680844f22ac38f21d2c4424945a50667

          SHA256

          172c63b5d63ef73251073dcdaefe790e805ace20e668d37197f2ca358e07ca29

          SHA512

          04dfde798c1789395ffdae6fddb9a098f5976c0436f4665ff471c4630cca92c311ee644928aa115761088e24be8de48b5f73935c73aaaad151846bbf20151adf

          Download Submit

        • C:\Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • C:\Windows\SysWOW64\cfghw.tmp
          Filesize

          185B

          MD5

          0010d08f56fa12ce6d57f7844c7faaa9

          SHA1

          dcac35f8f8709be3fd8552107fca0d250d5efa24

          SHA256

          65ccbdf80715a018723c359dd934c1a57ae108c00de959d35a62bd77fb6c363a

          SHA512

          0f094b1d1b559d8f351e93180a8419eb3f28eae33118a3c3829cfc20cf3cf0d637c53ff14b5d7ced4e66b090f773a3262fb75a01babfd8659709cd352c2b10ef

          Download Submit

        • \Users\Admin\AppData\Local\Temp\DNF01Á¬·¢¹¤¾ß.exe
          Filesize

          620KB

          MD5

          818218a13de47277ae018f384f5c25d4

          SHA1

          34284575d27710b39252e66b73c1dcc8852f8b6f

          SHA256

          fe6d4d79d68976973b4c26e861dbe7f3d97e37062781ff28c5b9e0fc7e4f0075

          SHA512

          9312df1f6eb61ace14fada64ea1ded3647ec8be2bd85b610ba4805671e6616e64f07b2d3359d5e8b19b68771c10e1317d1914d3e72f7a1b2a90ef42d145700d5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\DNF01Á¬·¢¹¤¾ß.exe
          Filesize

          620KB

          MD5

          818218a13de47277ae018f384f5c25d4

          SHA1

          34284575d27710b39252e66b73c1dcc8852f8b6f

          SHA256

          fe6d4d79d68976973b4c26e861dbe7f3d97e37062781ff28c5b9e0fc7e4f0075

          SHA512

          9312df1f6eb61ace14fada64ea1ded3647ec8be2bd85b610ba4805671e6616e64f07b2d3359d5e8b19b68771c10e1317d1914d3e72f7a1b2a90ef42d145700d5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          80KB

          MD5

          177f093147c38555ca830c266f967a26

          SHA1

          560d9206482e898f73d092fcfdf1777db598cf13

          SHA256

          6c1d97af8a64a20fd7f04c99db4420b55babfb81229704109d46a0d14c40e9d6

          SHA512

          54ed6d51364ae2836e091c7cd51eaf59bf133df2789434f92407ffd70ebcfe25633212a73e0c24e275020185baf9dbb01bca231df225113abc24a2d6adbc258f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          80KB

          MD5

          177f093147c38555ca830c266f967a26

          SHA1

          560d9206482e898f73d092fcfdf1777db598cf13

          SHA256

          6c1d97af8a64a20fd7f04c99db4420b55babfb81229704109d46a0d14c40e9d6

          SHA512

          54ed6d51364ae2836e091c7cd51eaf59bf133df2789434f92407ffd70ebcfe25633212a73e0c24e275020185baf9dbb01bca231df225113abc24a2d6adbc258f

          Download Submit

        • \Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\vKINSTALLERS_43_25100.exe
          Filesize

          58KB

          MD5

          59aa2880527d8baf9d025c3dc2925503

          SHA1

          de75a277fae0886fba8adc778e11b8fb788f1319

          SHA256

          d7c6cd9f7f7e9254d5bb4dcd640dd1d7a437bfcd5a31dab80dace8b51f5274c0

          SHA512

          c8a35125d25df522cf376059fe26051878163ce7af46cbc236955b9ca80df56127b5a72231c5e601db9a38c49027028dcea8aca57eea22d2d0a3cab903e012e4

          Download Submit

        • \Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • \Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • \Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • \Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • \Windows\SysWOW64\Tencenthw.exe
          Filesize

          35KB

          MD5

          107e71382f8c42169041743dd0e8e72e

          SHA1

          656c44dc0b546f0814c80e3334f5ee10d3f8b8fc

          SHA256

          2065e9ee4ebcf2d87c30c0c43676b85a5863579a9da1080f8a7eb0f9348ddc47

          SHA512

          e81559dc92527c62b603c02bbefd71b495e91105b09c64d6c3c5fddde40615204c0007e9d3382490a44158da305d3f22b84ae0d6f2d7ece840107ffcdcceb116

          Download Submit

        • memory/576-75-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/576-77-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1504-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1504-72-0x0000000002100000-0x000000000212D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1504-71-0x0000000002100000-0x000000000212D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1516-76-0x0000000000300000-0x000000000030E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1516-74-0x0000000000300000-0x000000000030E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1516-73-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download