Overview

overview

10

Static

static

b6237ce8a2...7c.exe

windows7-x64

8

b6237ce8a2...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6237ce8a27b94f82628050897215257bd4466721b50c13b285e95dc29c3057c.exe

  • Size

    361KB

  • MD5

    4eea01266c594b5527408d62b2d71116

  • SHA1

    78f505f4374a8b321874dff273ce03df657a23a1

  • SHA256

    b6237ce8a27b94f82628050897215257bd4466721b50c13b285e95dc29c3057c

  • SHA512

    c20d2e2eb4a1079780f3dd165fbe5003126e7249a811e64e35cae3c4e027d020821a7ccec30e557db8849110c8cec9dc9ec2a93a7079cf3b328eaef1914d6248

  • SSDEEP

    6144:bflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:bflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6237ce8a27b94f82628050897215257bd4466721b50c13b285e95dc29c3057c.exe
    "C:\Users\Admin\AppData\Local\Temp\b6237ce8a27b94f82628050897215257bd4466721b50c13b285e95dc29c3057c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Temp\wvupnbzytsndcxwu.exe
      C:\Temp\wvupnbzytsndcxwu.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\xuqieaxttp.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1396
        • C:\Temp\xuqieaxttp.exe
          C:\Temp\xuqieaxttp.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1568
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1360
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • C:\Temp\wvupnbzytsndcxwu.exe
    Filesize

    361KB

    MD5

    8ab5f33f5e032f18bd92064af1314d01

    SHA1

    bf69d50973e250ea9c8e137ede411500f6cca4ae

    SHA256

    9052e637be61e636b5ac0ee769e90bead089554a62604862a8f0cc95196ff5dc

    SHA512

    47fce53d781a0109e21c78877517e0cdb93ff2518ebb1e9513b26c414ff2b43d7d26a283c096cc964f97efed5b5beadeada65fc71e1bac1ce5d6143156a25ecc

    Download Submit

  • C:\Temp\wvupnbzytsndcxwu.exe
    Filesize

    361KB

    MD5

    8ab5f33f5e032f18bd92064af1314d01

    SHA1

    bf69d50973e250ea9c8e137ede411500f6cca4ae

    SHA256

    9052e637be61e636b5ac0ee769e90bead089554a62604862a8f0cc95196ff5dc

    SHA512

    47fce53d781a0109e21c78877517e0cdb93ff2518ebb1e9513b26c414ff2b43d7d26a283c096cc964f97efed5b5beadeada65fc71e1bac1ce5d6143156a25ecc

    Download Submit

  • C:\Temp\xuqieaxttp.exe
    Filesize

    361KB

    MD5

    c055ccdecbb8c9aef6d603027ccc902b

    SHA1

    caa607706c6aa0b91d7326488a51547fc04fb54c

    SHA256

    b141faa0f346f3490c9bb16743d0d4ed8d8432f550d58f8f273c685bbe5860ba

    SHA512

    741749a08542daf0f1a2a7cf4a7e51482610da21cd623603de8376bfb6dc1caabe5eb93c5aa72dc42b7fc9dfba1988054e26fa4f81f55a6eff747c22a34afffc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BT8XA15H.txt
    Filesize

    595B

    MD5

    9eeaa9f099d19cf8e8a9255b300ed5a7

    SHA1

    e8b3ff5a0f89313def4339f38e820ff4ccc5b63a

    SHA256

    14187b9de67f6bc4acbb6fe4530914d80b3a033fb75a21e2d2186faf2f4ad105

    SHA512

    aff54b69cfd303fe94b2e0ff6a9c14ff37d6594fce2dbd4e3d898657ddd950cf0993256520e00cff9dcb3d3068044dc0fc6787ab7761466aed6a61cb87ffc858

    Download Submit

  • C:\temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8f25435ac80caf9b5f1e8a381216f40e

    SHA1

    696e58e2b56e34c3e95ce4599ab5a2854b80f648

    SHA256

    7382ef5061e7db363a74b86fc71fe72e690b5352912017c625986333580ab66c

    SHA512

    21ea100c2b5b59396161a8296bd09ee5e8bccde04cc8b880e72933d03446fddd3cbd25e0d03b7b223ff570f0b10c0efe3ab369108335977b9c36c88233808e2b

    Download Submit

  • \Temp\wvupnbzytsndcxwu.exe
    Filesize

    361KB

    MD5

    8ab5f33f5e032f18bd92064af1314d01

    SHA1

    bf69d50973e250ea9c8e137ede411500f6cca4ae

    SHA256

    9052e637be61e636b5ac0ee769e90bead089554a62604862a8f0cc95196ff5dc

    SHA512

    47fce53d781a0109e21c78877517e0cdb93ff2518ebb1e9513b26c414ff2b43d7d26a283c096cc964f97efed5b5beadeada65fc71e1bac1ce5d6143156a25ecc

    Download Submit

  • memory/1348-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1396-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1568-65-0x0000000000000000-mapping.dmp

    Download