Overview

overview

8

Static

static

ad488d3f91...b4.exe

windows7-x64

8

ad488d3f91...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe

  • Size

    57KB

  • MD5

    c000b6bc63f8f6da787d8581289254a7

  • SHA1

    12e95ac16e0c5d8df2d9e51a7da311be310f7acb

  • SHA256

    ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4

  • SHA512

    18397a9d2f4a02d89372fd372f6480a8a0e5ed46c416cba315bae732b4c07623bfb8b162279579a86b7a5a3bebb2eb09172f8c4eef2e49876e6b7e786ef9fbe8

  • SSDEEP

    1536:o77/KSRNddvzL+nlAuRDDWTqRJWx02X0yYD4uM/BS2x95biTvvu/:o77/KSRNddvzL+nlAuRDDWTqRJ80EbYA

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe
    "C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe
      "C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe
        "C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:652
    • C:\Program Files (x86)\Adobe\acrotray.exe
      "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files (x86)\Adobe\acrotray.exe
        "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Program Files (x86)\Adobe\acrotray .exe
        "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Program Files (x86)\Adobe\acrotray .exe
          "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1900
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1616
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:472083 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\acrotray .exe
    Filesize

    59KB

    MD5

    c77ffd7f9265bc3f747dc50034a90c96

    SHA1

    55c0327c8935acb9a659a4d7ee2f00873e86387c

    SHA256

    07b106d51bc285c1e583c1a99e5b357bf0eb1eb7aeccb47e0560673c5d2d1c85

    SHA512

    350129537e92429033cba473d1a2304da0e383d4b132e56812f539b28f6fbbeb77704b5949410023e2c74c3208175a2546b830df9682c9e3729436f85996d4c4

    Download Submit

  • C:\Program Files (x86)\Adobe\acrotray .exe
    Filesize

    59KB

    MD5

    c77ffd7f9265bc3f747dc50034a90c96

    SHA1

    55c0327c8935acb9a659a4d7ee2f00873e86387c

    SHA256

    07b106d51bc285c1e583c1a99e5b357bf0eb1eb7aeccb47e0560673c5d2d1c85

    SHA512

    350129537e92429033cba473d1a2304da0e383d4b132e56812f539b28f6fbbeb77704b5949410023e2c74c3208175a2546b830df9682c9e3729436f85996d4c4

    Download Submit

  • C:\Program Files (x86)\Adobe\acrotray .exe
    Filesize

    59KB

    MD5

    c77ffd7f9265bc3f747dc50034a90c96

    SHA1

    55c0327c8935acb9a659a4d7ee2f00873e86387c

    SHA256

    07b106d51bc285c1e583c1a99e5b357bf0eb1eb7aeccb47e0560673c5d2d1c85

    SHA512

    350129537e92429033cba473d1a2304da0e383d4b132e56812f539b28f6fbbeb77704b5949410023e2c74c3208175a2546b830df9682c9e3729436f85996d4c4

    Download Submit

  • C:\Program Files (x86)\Adobe\acrotray.exe
    Filesize

    88KB

    MD5

    99eb8b8998801d2bb74c411e565d0961

    SHA1

    17f45f62bcfd7f052a3e456aadb8d566035cbf79

    SHA256

    5b9ac7fa92f1d8cb97ae1c978782236a0de0eb50fc81a9d165e2e12afbf17b3c

    SHA512

    b8feddef24587b13b50f0fc9c5a54d6e57eeab310ef25a89866bce725835b77a6968c05c7c356514f20d1bb13cb34ceb54216703f6320eeb064306b074cbeded

    Download Submit

  • C:\Program Files (x86)\Adobe\acrotray.exe
    Filesize

    88KB

    MD5

    99eb8b8998801d2bb74c411e565d0961

    SHA1

    17f45f62bcfd7f052a3e456aadb8d566035cbf79

    SHA256

    5b9ac7fa92f1d8cb97ae1c978782236a0de0eb50fc81a9d165e2e12afbf17b3c

    SHA512

    b8feddef24587b13b50f0fc9c5a54d6e57eeab310ef25a89866bce725835b77a6968c05c7c356514f20d1bb13cb34ceb54216703f6320eeb064306b074cbeded

    Download Submit

  • C:\Program Files (x86)\Adobe\acrotray.exe
    Filesize

    88KB

    MD5

    99eb8b8998801d2bb74c411e565d0961

    SHA1

    17f45f62bcfd7f052a3e456aadb8d566035cbf79

    SHA256

    5b9ac7fa92f1d8cb97ae1c978782236a0de0eb50fc81a9d165e2e12afbf17b3c

    SHA512

    b8feddef24587b13b50f0fc9c5a54d6e57eeab310ef25a89866bce725835b77a6968c05c7c356514f20d1bb13cb34ceb54216703f6320eeb064306b074cbeded

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    11acbd1ce7fe1ce8a86bf584c02067d4

    SHA1

    fb871afaf09064ce8d079f5e39aaed3a4bdc0a57

    SHA256

    f24e309dd00df0d4bb5e7c4992a985f60b21b90aa1bbc7a2806053f2a6661596

    SHA512

    f6348b65224116a591d011a83b7fbf947c7c9ab00a58fab927fad7fb4cef952f0fb4ecc88babe3ee20dbaab18059d9fababf326f8bf9a0ca248a054939051662

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
    Filesize

    724B

    MD5

    f569e1d183b84e8078dc456192127536

    SHA1

    30c537463eed902925300dd07a87d820a713753f

    SHA256

    287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

    SHA512

    49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    7ddf72436b037b940bead298cdfb039c

    SHA1

    5718ffb9770f28a2ef61e1c0152050d23f4c6f50

    SHA256

    4cc8de206610cffcf202cb8b306549177b4495a791b2f6666dfcb93634d37205

    SHA512

    e33b0b76efbeb80b88b0ad079095412091655125e59d45f2566bfedae5121d6bb5136a5aaf7f959b911d6ff72f9eb98e06c99e85772473024d9ba651015163bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    04c42124429f249481852e81a15f6a20

    SHA1

    ab7d785e35d14d0fee531b531057d43c6ca50457

    SHA256

    d92754b81cb3516a1a045e9df8a054b785c312a2ff2edaacb87495b107c584b3

    SHA512

    a9aa43e6f9d2cdfe830a93a82b3d2529d60aed4337bc05a47274b0c1dc6c412e8577019d05f37897dc7a04c91fc378d52326e22386a378e0434eb219c9cba3ff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cc034d9e361394b9d92f2041b6c5a1bc

    SHA1

    9af18d2821b259a60cd7447d1eb3b936794aea8d

    SHA256

    96ec9000564b31b14b49712494e57ab0c2dbbd99d87db4e2cedd0665b026b8c2

    SHA512

    f1f5c37bb4b38cc20c95d230559beb19dd9706024b5c0b466c81775e00d8ada0cc9632ec5edba2c596e9b868f9fd2368cb8c74ab05c3e658669da2d09cba8ab4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
    Filesize

    392B

    MD5

    fb88083cc7a6b701ca5b9453dd1414ff

    SHA1

    2edcc68d437f34a44583127495f23c9af16e0048

    SHA256

    5f6bb0c08d9508f33ee3edfbc7004042819bd1704cf56980a082a5b0178b830f

    SHA512

    44161cfac411ad9c840f2a68ca8f9fd127b1095440fc5c34235eadf3b196be0058ca600fe40143fef3f26b4d73b142ec6027fe38270ec5264a09dcf4375b7e5a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    25d7ebdaaeea98dc3cd87b44e927b896

    SHA1

    a326e61dcef28be060c98a22495008ba04fb2638

    SHA256

    a5eda3aa97b54d42eb557b579d62e24deb6e16d56428cba23b80840657ac6cfb

    SHA512

    7a0a0747ab1cf104486573d8bc3dbe9f478d654b79ff1917a8c9813b620bb630b172d92ef0fde85bee65973f5f6072f960591f7314f1b4ca4d8636887349cc9a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I3U5LWSJ.txt
    Filesize

    608B

    MD5

    2fd33be28f6ad2f01cf0fad9181a86f8

    SHA1

    c04bc6164ab49eb7b4ad13690bb361269b0ce38f

    SHA256

    9cd743311c1f1f6405dd45b0e85e39f4adc2e1b4cc7c2535d9689cb846108dce

    SHA512

    c283c98c554c2c040dc405fd10cdca2b9226ef0609381350cf2fcb3ffcc3f44c14641c966402b8a61cc947c4455e5831b72cdfdc35aac505aa62e18870ed81f7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WUI51ILA.txt
    Filesize

    114B

    MD5

    e95a17ba445c91f7181ff9742a59d2ee

    SHA1

    430a4e3a79b7a108a885a735abf2cd5075ef1633

    SHA256

    56d94d7b90a13f0754d70fddf5f9c75baa9d27c034645a80a5032a312f0abdae

    SHA512

    cda1bf6333067110f72a8cc7cafb593970f3f64ca5599e73f85931e6a8dfa318217011d590f74a979f4362424cdeed9f303583682cd2af32465ec22d3477cb1f

    Download Submit

  • \Program Files (x86)\Adobe\acrotray .exe
    Filesize

    59KB

    MD5

    c77ffd7f9265bc3f747dc50034a90c96

    SHA1

    55c0327c8935acb9a659a4d7ee2f00873e86387c

    SHA256

    07b106d51bc285c1e583c1a99e5b357bf0eb1eb7aeccb47e0560673c5d2d1c85

    SHA512

    350129537e92429033cba473d1a2304da0e383d4b132e56812f539b28f6fbbeb77704b5949410023e2c74c3208175a2546b830df9682c9e3729436f85996d4c4

    Download Submit

  • \Program Files (x86)\Adobe\acrotray .exe
    Filesize

    59KB

    MD5

    c77ffd7f9265bc3f747dc50034a90c96

    SHA1

    55c0327c8935acb9a659a4d7ee2f00873e86387c

    SHA256

    07b106d51bc285c1e583c1a99e5b357bf0eb1eb7aeccb47e0560673c5d2d1c85

    SHA512

    350129537e92429033cba473d1a2304da0e383d4b132e56812f539b28f6fbbeb77704b5949410023e2c74c3208175a2546b830df9682c9e3729436f85996d4c4

    Download Submit

  • \Program Files (x86)\Adobe\acrotray.exe
    Filesize

    88KB

    MD5

    99eb8b8998801d2bb74c411e565d0961

    SHA1

    17f45f62bcfd7f052a3e456aadb8d566035cbf79

    SHA256

    5b9ac7fa92f1d8cb97ae1c978782236a0de0eb50fc81a9d165e2e12afbf17b3c

    SHA512

    b8feddef24587b13b50f0fc9c5a54d6e57eeab310ef25a89866bce725835b77a6968c05c7c356514f20d1bb13cb34ceb54216703f6320eeb064306b074cbeded

    Download Submit

  • \Program Files (x86)\Adobe\acrotray.exe
    Filesize

    88KB

    MD5

    99eb8b8998801d2bb74c411e565d0961

    SHA1

    17f45f62bcfd7f052a3e456aadb8d566035cbf79

    SHA256

    5b9ac7fa92f1d8cb97ae1c978782236a0de0eb50fc81a9d165e2e12afbf17b3c

    SHA512

    b8feddef24587b13b50f0fc9c5a54d6e57eeab310ef25a89866bce725835b77a6968c05c7c356514f20d1bb13cb34ceb54216703f6320eeb064306b074cbeded

    Download Submit

  • memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1408-55-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download