Overview

overview

8

Static

static

ad488d3f91...b4.exe

windows7-x64

8

ad488d3f91...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe

  • Size

    57KB

  • MD5

    c000b6bc63f8f6da787d8581289254a7

  • SHA1

    12e95ac16e0c5d8df2d9e51a7da311be310f7acb

  • SHA256

    ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4

  • SHA512

    18397a9d2f4a02d89372fd372f6480a8a0e5ed46c416cba315bae732b4c07623bfb8b162279579a86b7a5a3bebb2eb09172f8c4eef2e49876e6b7e786ef9fbe8

  • SSDEEP

    1536:o77/KSRNddvzL+nlAuRDDWTqRJWx02X0yYD4uM/BS2x95biTvvu/:o77/KSRNddvzL+nlAuRDDWTqRJ80EbYA

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe
    "C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe
      "C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Program Files (x86)\Adobe\acrotray.exe
      "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Program Files (x86)\Adobe\acrotray.exe
        "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4612
      • C:\Program Files (x86)\Adobe\acrotray .exe
        "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Program Files (x86)\Adobe\acrotray .exe
          "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ad488d3f91755d7beea5ec900566495da8515e3d8af9f7f75ad20638a15f58b4.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17418 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:82948 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4072

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe\acrotray .exe
      Filesize

      76KB

      MD5

      aa5b003ecf07ac343d65f67b23a27750

      SHA1

      c3af0ff3c999d4e22d22001aea8fce766436584c

      SHA256

      2b8c32aaf81401733fde01fa99d998302596eee168fec92250ee598e8b95412b

      SHA512

      4627686f589edbac3b3b8ccb863acc79d550c609f80a8559b34b4104a8c42bea292da51c2746ec4942a2db9d0ae6a73eaec0d34b3d549ebd3f0e00a9c4f454e7

      Download Submit

    • C:\Program Files (x86)\Adobe\acrotray .exe
      Filesize

      76KB

      MD5

      aa5b003ecf07ac343d65f67b23a27750

      SHA1

      c3af0ff3c999d4e22d22001aea8fce766436584c

      SHA256

      2b8c32aaf81401733fde01fa99d998302596eee168fec92250ee598e8b95412b

      SHA512

      4627686f589edbac3b3b8ccb863acc79d550c609f80a8559b34b4104a8c42bea292da51c2746ec4942a2db9d0ae6a73eaec0d34b3d549ebd3f0e00a9c4f454e7

      Download Submit

    • C:\Program Files (x86)\Adobe\acrotray .exe
      Filesize

      76KB

      MD5

      aa5b003ecf07ac343d65f67b23a27750

      SHA1

      c3af0ff3c999d4e22d22001aea8fce766436584c

      SHA256

      2b8c32aaf81401733fde01fa99d998302596eee168fec92250ee598e8b95412b

      SHA512

      4627686f589edbac3b3b8ccb863acc79d550c609f80a8559b34b4104a8c42bea292da51c2746ec4942a2db9d0ae6a73eaec0d34b3d549ebd3f0e00a9c4f454e7

      Download Submit

    • C:\Program Files (x86)\Adobe\acrotray.exe
      Filesize

      66KB

      MD5

      0997d81dd07e0137b9bc0dd50b539b96

      SHA1

      34331ecd56b6bf3c25f3b7e396a1337418c9adf1

      SHA256

      c0379bc3b02e78d7c409a8e1875df668356e1137f55b5c38b77506dec8bf2095

      SHA512

      22465cd7e34f706dcaa6a24c275c73b5fba6c39ebbd591d9b60e2d7bfd103d3aa8cd1ba443fb296a13e3e51eaecbd74a527a9616b83031eaabb1bf3bd790be71

      Download Submit

    • C:\Program Files (x86)\Adobe\acrotray.exe
      Filesize

      66KB

      MD5

      0997d81dd07e0137b9bc0dd50b539b96

      SHA1

      34331ecd56b6bf3c25f3b7e396a1337418c9adf1

      SHA256

      c0379bc3b02e78d7c409a8e1875df668356e1137f55b5c38b77506dec8bf2095

      SHA512

      22465cd7e34f706dcaa6a24c275c73b5fba6c39ebbd591d9b60e2d7bfd103d3aa8cd1ba443fb296a13e3e51eaecbd74a527a9616b83031eaabb1bf3bd790be71

      Download Submit

    • C:\Program Files (x86)\Adobe\acrotray.exe
      Filesize

      66KB

      MD5

      0997d81dd07e0137b9bc0dd50b539b96

      SHA1

      34331ecd56b6bf3c25f3b7e396a1337418c9adf1

      SHA256

      c0379bc3b02e78d7c409a8e1875df668356e1137f55b5c38b77506dec8bf2095

      SHA512

      22465cd7e34f706dcaa6a24c275c73b5fba6c39ebbd591d9b60e2d7bfd103d3aa8cd1ba443fb296a13e3e51eaecbd74a527a9616b83031eaabb1bf3bd790be71

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      11acbd1ce7fe1ce8a86bf584c02067d4

      SHA1

      fb871afaf09064ce8d079f5e39aaed3a4bdc0a57

      SHA256

      f24e309dd00df0d4bb5e7c4992a985f60b21b90aa1bbc7a2806053f2a6661596

      SHA512

      f6348b65224116a591d011a83b7fbf947c7c9ab00a58fab927fad7fb4cef952f0fb4ecc88babe3ee20dbaab18059d9fababf326f8bf9a0ca248a054939051662

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      724B

      MD5

      f569e1d183b84e8078dc456192127536

      SHA1

      30c537463eed902925300dd07a87d820a713753f

      SHA256

      287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

      SHA512

      49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      9ccc194c1a42036ca347fdd612d547bb

      SHA1

      497c54f07d2fbd57c1a00876fa720375e6eb6c39

      SHA256

      7ad4a4ba6d111a828f13de58e2b0efdd49da969f8fa4f4d9dfb32eedc32e82bb

      SHA512

      f0792ef38109ae7930b059d99fc6c0bde6bc1c32bd21b52b97b9f99c91925d5648966c87e61ddbdfe03f8b89acecc8c00ebba2726ac3dba8c16a3c85b462ae77

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      392B

      MD5

      863d87567b4073a159a05dd4175e9e63

      SHA1

      15bf86ed91e5d69366cada4ffd5ab911bff7a460

      SHA256

      d66fc07bda766bdfe60ee64ea24f35e4a2b1b3f93d95d2c5136edd3bbd280075

      SHA512

      0e57365cd1f377b2203ab2939fae8ac75676a8a96e67a4b406a640fba5f0a8902b52c8d311e7559d74ef8e68685ab58111d71f4bd42c9128356ec385f5986ff0

      Download Submit

    • memory/848-132-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download