Overview

overview

8

Static

static

983f658e8f...9e.exe

windows7-x64

8

983f658e8f...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    203s
  • max time network
    209s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e.exe

  • Size

    25KB

  • MD5

    0ba6a784f270f68fa6e102277f9e04c0

  • SHA1

    21c2094526da9ee107fd4421f70e73acfe8c269f

  • SHA256

    983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

  • SHA512

    d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

  • SSDEEP

    768:OqbKI+C2pbyw15X/WllPlqZrpvUnPius:tKI+C2pWw1kzNq7MPiu

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e.exe
    "C:\Users\Admin\AppData\Local\Temp\983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\wbem\csrss.exe
      C:\Windows\system32\wbem\csrss.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\wbem\csrss.exe
        C:\Windows\system32\wbem\csrss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\SysWOW64\wbem\csrss.exe
          C:\Windows\system32\wbem\csrss.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
          4⤵
            PID:1380
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
          3⤵
            PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
          2⤵
          • Deletes itself
          PID:1620
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1776
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:824

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\temp.bat
        Filesize

        296B

        MD5

        6d4b95098b9a9f9cba6abb84be3f325f

        SHA1

        635dbf01655aa7c254a0742eeccfcc10448ebe3e

        SHA256

        48f32a7b5091f7a2603c9679bfd5183e8a4490603e6d9225d3c4d91c1ff548f5

        SHA512

        a6d05c46f3bcbf3f71f85e796caeaa9435eeb6261972bb5a0e9f00894a22453025e6c1c2861a18301fc2bdae4751d39740d2b2a84976d3e75480fae3f74cdc40

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\temp.bat
        Filesize

        160B

        MD5

        688de2c11d07cd1a0f0a22aaba2f38fe

        SHA1

        c693ee247172adf49b1fe68c597358b0e0e2477e

        SHA256

        8fd8370941a44a938f35789dae430fe4ee8bb1443f05baad544b48c261ae40d7

        SHA512

        d1ecc15e5e1da8d9f35f95ed2b66763ed314e9b523dacd1eb42332b8f3d9c8256f46830c7b9c107ada42cc51d4dfe6ac9cd845b6fdbcf25677c5c50b138bde0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\temp.bat
        Filesize

        160B

        MD5

        688de2c11d07cd1a0f0a22aaba2f38fe

        SHA1

        c693ee247172adf49b1fe68c597358b0e0e2477e

        SHA256

        8fd8370941a44a938f35789dae430fe4ee8bb1443f05baad544b48c261ae40d7

        SHA512

        d1ecc15e5e1da8d9f35f95ed2b66763ed314e9b523dacd1eb42332b8f3d9c8256f46830c7b9c107ada42cc51d4dfe6ac9cd845b6fdbcf25677c5c50b138bde0a

        Download Submit

      • C:\Users\Admin\AppData\Local\n.ini
        Filesize

        19B

        MD5

        e415f059d8566da0d8d44108e0e915fe

        SHA1

        34dff1c646f465308c2804f0f046bbdcdfb53661

        SHA256

        b6765a3102953c72201321bfe2ef838e13e3ce395ef26c72e515a140e6d6d782

        SHA512

        fde3978b4d56abe680806dc62e6b9ad7f10ef2c6cbb1c7999c2f64c180056a600b98503446a1f3d2bd46487ef84d9a13ec1f3246d00451610a51af3fb21fec1b

        Download Submit

      • C:\Users\Admin\AppData\Local\n.ini
        Filesize

        19B

        MD5

        e415f059d8566da0d8d44108e0e915fe

        SHA1

        34dff1c646f465308c2804f0f046bbdcdfb53661

        SHA256

        b6765a3102953c72201321bfe2ef838e13e3ce395ef26c72e515a140e6d6d782

        SHA512

        fde3978b4d56abe680806dc62e6b9ad7f10ef2c6cbb1c7999c2f64c180056a600b98503446a1f3d2bd46487ef84d9a13ec1f3246d00451610a51af3fb21fec1b

        Download Submit

      • C:\Users\Admin\AppData\Local\n.ini
        Filesize

        19B

        MD5

        e415f059d8566da0d8d44108e0e915fe

        SHA1

        34dff1c646f465308c2804f0f046bbdcdfb53661

        SHA256

        b6765a3102953c72201321bfe2ef838e13e3ce395ef26c72e515a140e6d6d782

        SHA512

        fde3978b4d56abe680806dc62e6b9ad7f10ef2c6cbb1c7999c2f64c180056a600b98503446a1f3d2bd46487ef84d9a13ec1f3246d00451610a51af3fb21fec1b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3A34JKK5.txt
        Filesize

        608B

        MD5

        de67f928a9a9c7db82517cd92aa8b506

        SHA1

        bcb9124580df4bc98e76543585104e23e8bb63a2

        SHA256

        ce86ec2a118ac3b16a2a83fef121a92aba8527259f4073a76c5e2601100fdace

        SHA512

        e84405236488a983599fcff900749f9a77bfdec12c617bf22d4e52d4d4aa041e6df2609fd1fddf1e6d3b50d5a3c58b3e0ecf5251993f09dd550079d742efa216

        Download Submit

      • C:\Windows\SysWOW64\n.ini
        Filesize

        19B

        MD5

        e415f059d8566da0d8d44108e0e915fe

        SHA1

        34dff1c646f465308c2804f0f046bbdcdfb53661

        SHA256

        b6765a3102953c72201321bfe2ef838e13e3ce395ef26c72e515a140e6d6d782

        SHA512

        fde3978b4d56abe680806dc62e6b9ad7f10ef2c6cbb1c7999c2f64c180056a600b98503446a1f3d2bd46487ef84d9a13ec1f3246d00451610a51af3fb21fec1b

        Download Submit

      • C:\Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • C:\Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • C:\Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • C:\Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • \Windows\SysWOW64\wbem\csrss.exe
        Filesize

        25KB

        MD5

        0ba6a784f270f68fa6e102277f9e04c0

        SHA1

        21c2094526da9ee107fd4421f70e73acfe8c269f

        SHA256

        983f658e8f38cad710e854b4631c8f3b632c57b537506d98c67e80712f14429e

        SHA512

        d6be5cce86a6edf0b43815adc58bfda9fa9867dd3fcaf68a40e18fe03d938edc7b35a84ff90d5ff2875b6499f6ed47d874ec95b6e2663a418cb6971c3089996e

        Download Submit

      • memory/1316-77-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1388-65-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1388-75-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1556-87-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1992-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1992-62-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1992-55-0x0000000006000000-0x0000000006012000-memory.dmp

        Filesize

        72KB

        Download