7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65

Analysis

max time kernel
172s
max time network
176s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe
Size

2.7MB
MD5

9e659727fabfd9da06acb1071f083379
SHA1

4ad139850cdac9a2eb4832bd4795f40c162bbccb
SHA256

7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65
SHA512

7b1a142cd74962e51f769c229a8a3f4d7bb46a2a200db4f8e6807ee79355c1a4f971d26e113bf48b70cc1ea283704a7c2671f0127a68b8ea322eb56485590722
SSDEEP

49152:m4IvhmY1pu2asY6DwOBfrnvV7UeWtSF/RxdI6vY80Wl/Rvnqw5bxSowDrHy:mrvhd1pdYiwOBpIeWYF/iPWl/9qw5bQI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe
1908	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1908	1672	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe	28
PID 1672 wrote to memory of 1908	1672	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe	28
PID 1672 wrote to memory of 1908	1672	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe	28
PID 1672 wrote to memory of 1908	1672	7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe	28

C:\Users\Admin\AppData\Local\Temp\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe
"C:\Users\Admin\AppData\Local\Temp\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe
  "C:\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Filesize
2.6MB

MD5
696c58393e18ebb4e8c895267f43cbf0

SHA1
e4cbc7d42533da3ba5f043a9a04d1390b0920390

SHA256
52c3163babb0d4994c199c08b39c05c7cb44be00c51a98cd91827218e98743ba

SHA512
8683b2c2dc7d127601687ea67ef8ab46fa7b6f632722ab4feaa14f766819e58294c2f14bd012a3b4d318b076bd5f56e74c99eb78b71692e98b04b87c830e7031

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Filesize
2.6MB

MD5
696c58393e18ebb4e8c895267f43cbf0

SHA1
e4cbc7d42533da3ba5f043a9a04d1390b0920390

SHA256
52c3163babb0d4994c199c08b39c05c7cb44be00c51a98cd91827218e98743ba

SHA512
8683b2c2dc7d127601687ea67ef8ab46fa7b6f632722ab4feaa14f766819e58294c2f14bd012a3b4d318b076bd5f56e74c99eb78b71692e98b04b87c830e7031

Download Submit
\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7966922c26c3e78b28ce1d51fb6ed85e4a8fad7b3187bdb31a59355572110e65.exe

Filesize
2.6MB

MD5
696c58393e18ebb4e8c895267f43cbf0

SHA1
e4cbc7d42533da3ba5f043a9a04d1390b0920390

SHA256
52c3163babb0d4994c199c08b39c05c7cb44be00c51a98cd91827218e98743ba

SHA512
8683b2c2dc7d127601687ea67ef8ab46fa7b6f632722ab4feaa14f766819e58294c2f14bd012a3b4d318b076bd5f56e74c99eb78b71692e98b04b87c830e7031

Download Submit
\Users\Admin\AppData\Local\Temp\b1ezjxy1.um5\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/1672-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-59-0x0000000004BB0000-0x0000000004CA0000-memory.dmp

Filesize
960KB

Download
memory/1672-64-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-80-0x0000000076620000-0x000000007677C000-memory.dmp

Filesize
1.4MB

Download
memory/1908-85-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-63-0x0000000075590000-0x00000000755DA000-memory.dmp

Filesize
296KB

Download
memory/1908-65-0x0000000000860000-0x0000000000950000-memory.dmp

Filesize
960KB

Download
memory/1908-67-0x0000000077560000-0x000000007760C000-memory.dmp

Filesize
688KB

Download
memory/1908-68-0x0000000075AC0000-0x0000000075B07000-memory.dmp

Filesize
284KB

Download
memory/1908-69-0x0000000075800000-0x0000000075857000-memory.dmp

Filesize
348KB

Download
memory/1908-70-0x0000000075580000-0x0000000075589000-memory.dmp

Filesize
36KB

Download
memory/1908-71-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-72-0x00000000767D0000-0x000000007741A000-memory.dmp

Filesize
12.3MB

Download
memory/1908-74-0x0000000075AC0000-0x0000000075B07000-memory.dmp

Filesize
284KB

Download
memory/1908-73-0x0000000000860000-0x0000000000950000-memory.dmp

Filesize
960KB

Download
memory/1908-76-0x00000000000F0000-0x000000000012D000-memory.dmp

Filesize
244KB

Download
memory/1908-78-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-77-0x0000000076620000-0x000000007677C000-memory.dmp

Filesize
1.4MB

Download
memory/1908-79-0x0000000075510000-0x000000007556B000-memory.dmp

Filesize
364KB

Download
memory/1908-81-0x0000000000860000-0x0000000000950000-memory.dmp

Filesize
960KB

Download
memory/1908-82-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1908-83-0x0000000000860000-0x0000000000950000-memory.dmp

Filesize
960KB

Download
memory/1908-84-0x0000000075AC0000-0x0000000075B07000-memory.dmp

Filesize
284KB

Download
memory/1908-61-0x0000000000860000-0x0000000000950000-memory.dmp

Filesize
960KB

Download
memory/1908-86-0x00000000778B0000-0x00000000778E5000-memory.dmp

Filesize
212KB

Download
memory/1908-87-0x00000000776B0000-0x00000000777CD000-memory.dmp

Filesize
1.1MB

Download
memory/1908-88-0x0000000064E70000-0x0000000065142000-memory.dmp

Filesize
2.8MB

Download
memory/1908-91-0x0000000077810000-0x000000007789F000-memory.dmp

Filesize
572KB

Download
memory/1908-92-0x00000000741A0000-0x00000000741B7000-memory.dmp

Filesize
92KB

Download
memory/1908-93-0x0000000073700000-0x0000000073715000-memory.dmp

Filesize
84KB

Download
memory/1908-94-0x0000000073720000-0x0000000073772000-memory.dmp

Filesize
328KB

Download
memory/1908-95-0x0000000074250000-0x000000007425D000-memory.dmp

Filesize
52KB

Download
memory/1908-96-0x0000000075D50000-0x0000000075D69000-memory.dmp

Filesize
100KB

Download
memory/1908-97-0x0000000072AE0000-0x0000000072B2F000-memory.dmp

Filesize
316KB

Download
memory/1908-98-0x0000000072B30000-0x0000000072B88000-memory.dmp

Filesize
352KB

Download
memory/1908-99-0x0000000072AC0000-0x0000000072ADC000-memory.dmp

Filesize
112KB

Download
memory/1908-100-0x0000000075790000-0x000000007579C000-memory.dmp

Filesize
48KB

Download
memory/1908-102-0x0000000075A80000-0x0000000075AA7000-memory.dmp

Filesize
156KB

Download
memory/1908-103-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1908-104-0x0000000075D50000-0x0000000075D69000-memory.dmp

Filesize
100KB

Download
memory/1908-105-0x00000000728F0000-0x0000000072A80000-memory.dmp

Filesize
1.6MB

Download
memory/1908-106-0x0000000072880000-0x00000000728DF000-memory.dmp

Filesize
380KB

Download
memory/1908-107-0x0000000072850000-0x0000000072863000-memory.dmp

Filesize
76KB

Download
memory/1908-108-0x000000000258A000-0x000000000259B000-memory.dmp

Filesize
68KB

Download