7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e

Analysis

max time kernel
221s
max time network
334s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
Size

126KB
MD5

6afd0b18e6a6c7909ab7ee485e5408aa
SHA1

0e46eac952c441ed4505977b46aaa5455d5ca9ff
SHA256

7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e
SHA512

b0a168db9c1b1b5a8f8c969a8e0ce69b6ac07730bcd7a2c1785faa48395fcd193a79487e961cf6d5dd57bf710f37d30e7364fefa8e629423c536b072f671ac91
SSDEEP

3072:RgXdZt9P6D3XJkSN/na4byCXoHF5Tpg5zxoqdRFRsNzQh:Re3499nwLpcxoQXsN2

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1280	SeStPage.exe

Deletes itself 1 IoCs

pid	Process
792	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
1280	SeStPage.exe
1280	SeStPage.exe
1280	SeStPage.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SeStPage = "C:\\Program Files (x86)\\SeStPage\\SeStPage.exe"	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SeStPage\SeStPage.exe	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
File created	C:\Program Files (x86)\SeStPage\SeStPacnt.exe	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
File created	C:\Program Files (x86)\SeStPage\uninst.exe	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
File created	C:\Program Files (x86)\SeStPage\cns.dat	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Secondary Start Pages	SeStPage.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1280	SeStPage.exe
Token: SeBackupPrivilege	1280	SeStPage.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1280	SeStPage.exe
1280	SeStPage.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 1280	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	28
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29
PID 540 wrote to memory of 792	540	7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe	29

C:\Users\Admin\AppData\Local\Temp\7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe
"C:\Users\Admin\AppData\Local\Temp\7686f7c935a81e99becc73063b1f2e7075ee7f5da815918a7d829d838e34635e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files (x86)\SeStPage\SeStPage.exe
  "C:\Program Files (x86)\SeStPage\SeStPage.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
264B

MD5
590bb6cfed5848174b0e4a87f52cf44a

SHA1
2215d2fc080285b9f32f3333994e40de08ffac81

SHA256
ebd1edd41954a6dd0b3af13a94400c578952a62a048ee7652c3ac2e2af39d87a

SHA512
128fa8a09ee9f3944b3431d1c42b1ba81f9fdf3ae3bd72f0b50ca8563b1ae5e00b099dd5a1a720229c79bc38a9efc1629de2be5f293cb87021917bc0347e4424

Download Submit
C:\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
C:\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
C:\Program Files (x86)\SeStPage\cns.dat

Filesize
21B

MD5
69f0e195da60ad9c40f748e23db843b3

SHA1
fe372b6c8d7fddbca21b2b78513c073f71ecf156

SHA256
a9dead8a885a9320f1652b1bf85b4af35e337243c7ba1bc99c8ce79007d32ce1

SHA512
0266173c5516a76d989dbde09a3dad197debd53882f410bc5037fad8f389978f8e31c65fa71d3ea972f803166200aa8b6b5b3bdf09506da5e58a7dbbafbfd12a

Download Submit
\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
\Program Files (x86)\SeStPage\SeStPage.exe

Filesize
368KB

MD5
cfed4f02ff21557a607927835b79ee1e

SHA1
12de3947cf15e7577cf80a71e17804b2d8374005

SHA256
7f1ee53a6b9360a2af9a6ed48b41f679e7efe8e1d0e661307a034889d71c27da

SHA512
a4d4579067be659db1caa6578602a361c3f296af80931979740ee7b9eb06e1dec364d8389a0eaffcac1b7dbf95883664b647ef06830a71c599e3c62364c99362

Download Submit
\Users\Admin\AppData\Local\Temp\nsk2ACA.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
memory/540-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads