Overview

overview

8

Static

static

ad984c406e...17.exe

windows7-x64

8

ad984c406e...17.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad984c406ec4bf3e8686b7e6d1ab7cab0d0040787093818a1a57b4f223206217.exe

  • Size

    361KB

  • MD5

    1fd13a639ed0388516593d139f1b0000

  • SHA1

    3d8636cf47fec01c9954f16d103907c3c1d00239

  • SHA256

    ad984c406ec4bf3e8686b7e6d1ab7cab0d0040787093818a1a57b4f223206217

  • SHA512

    ee4a27ea02e23ab7e276bc5235cb4f4b2c6731039f51dd0e8f2f89474e6f52ff108dff62c3ae5861508aa8f7c5a2ce99f890c767d79980c22e37133dad2a3d80

  • SSDEEP

    6144:zflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:zflfAsiVGjSGecvX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad984c406ec4bf3e8686b7e6d1ab7cab0d0040787093818a1a57b4f223206217.exe
    "C:\Users\Admin\AppData\Local\Temp\ad984c406ec4bf3e8686b7e6d1ab7cab0d0040787093818a1a57b4f223206217.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Temp\srpljfvupojhytsq.exe
      C:\Temp\srpljfvupojhytsq.exe run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\temp\CreateProcess.exe
        C:\temp\CreateProcess.exe C:\Temp\okhdrrnkgd.exe ups_run
        3⤵
        • Executes dropped EXE
        PID:1960
        • C:\Temp\okhdrrnkgd.exe
          C:\Temp\okhdrrnkgd.exe ups_run
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\temp\CreateProcess.exe
            C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
            5⤵
            • Executes dropped EXE
            PID:1748
            • C:\windows\system32\ipconfig.exe
              C:\windows\system32\ipconfig.exe /release
              6⤵
              • Gathers network information
              PID:1676
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • C:\Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • C:\Temp\okhdrrnkgd.exe
    Filesize

    361KB

    MD5

    d4311a3ae5b5929a781ee4c203ecada3

    SHA1

    ecbb187207609ec204a71b68a6300ff04b1dee02

    SHA256

    7527e0ac33af075e20ef04695d8b0aafcdcd2dfe79293d029531624ceb9a616c

    SHA512

    692ea9154950bab635ebc0c3da672acd9db13b567615f1f67ed5c4f644b83d4488198131df8b346dea34825faf49e5300a3975832ec8c0bcbcb8373b8d204ff6

    Download Submit

  • C:\Temp\srpljfvupojhytsq.exe
    Filesize

    361KB

    MD5

    34620843c7f3c89dfd8538fd4556d5e5

    SHA1

    3701e8ed35f4b9410fcc4decda4b7d7973d52693

    SHA256

    2780f5ae7e10ef97b98f66c8da2f9350b1e2a6a0f98fbfe637f4f05bc615fe88

    SHA512

    a2402ab4ba9323c1db5d9f47df70226ae6603a1489a83c64acf33bfe1b9ed23ae6682cd44bace624020539c3c718a7443ed153aa232669c8916f070c859c4bce

    Download Submit

  • C:\Temp\srpljfvupojhytsq.exe
    Filesize

    361KB

    MD5

    34620843c7f3c89dfd8538fd4556d5e5

    SHA1

    3701e8ed35f4b9410fcc4decda4b7d7973d52693

    SHA256

    2780f5ae7e10ef97b98f66c8da2f9350b1e2a6a0f98fbfe637f4f05bc615fe88

    SHA512

    a2402ab4ba9323c1db5d9f47df70226ae6603a1489a83c64acf33bfe1b9ed23ae6682cd44bace624020539c3c718a7443ed153aa232669c8916f070c859c4bce

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y4VF1E6T.txt
    Filesize

    601B

    MD5

    659b3d59ed37491e122ac6e91ba1f210

    SHA1

    0443ede603ef2b91823830afd9244c8ff1887e26

    SHA256

    aa1e3a8b1407ea7cb7d4b43eb6fa34576ffb0dbe808b3c2f0d961383f647dee7

    SHA512

    c8e73b24912ed499536e478ef54169799beaa1100250afd546789e1447cc5d4f5fb4aba8f93d57a9a7ee32de177dacc22becadefc1eebf32382a0777c6c09739

    Download Submit

  • C:\temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • \Temp\CreateProcess.exe
    Filesize

    3KB

    MD5

    8dc1c9f3ae3709b0364c2151d66b7ad0

    SHA1

    72053f08cdb68ff2cd92d3863960b8e02d2d2959

    SHA256

    929a1074470c90f802afb546c7bdfbccbf56ea0f73716b74849d8df1563e5175

    SHA512

    eb71ac9d9c34e562508a0d8531f30e8d50d9a6fb32e83937b63e4098cd426bc85fe0b09058236e7dc9763787077ecacda58c0b9da11b5dc3a79f22fdb97b858d

    Download Submit

  • \Temp\srpljfvupojhytsq.exe
    Filesize

    361KB

    MD5

    34620843c7f3c89dfd8538fd4556d5e5

    SHA1

    3701e8ed35f4b9410fcc4decda4b7d7973d52693

    SHA256

    2780f5ae7e10ef97b98f66c8da2f9350b1e2a6a0f98fbfe637f4f05bc615fe88

    SHA512

    a2402ab4ba9323c1db5d9f47df70226ae6603a1489a83c64acf33bfe1b9ed23ae6682cd44bace624020539c3c718a7443ed153aa232669c8916f070c859c4bce

    Download Submit