Overview

overview

8

Static

static

737c6a1212...ce.exe

windows7-x64

8

737c6a1212...ce.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    737c6a1212aa7f80fa49ac37872277b12c84f0dfcc2645733d2f6504fc4563ce.exe

  • Size

    1001KB

  • MD5

    6e2d9e8a2ab7cc73d535109d46f5ccb8

  • SHA1

    5a96efe70d5bb0d38f0f7b4b25b188deb582103f

  • SHA256

    737c6a1212aa7f80fa49ac37872277b12c84f0dfcc2645733d2f6504fc4563ce

  • SHA512

    cf8f6d862fa620cb63fd658973b3a1f976a95a3b620e4b2712f26e54a4607b9f15caf83cd842bde9aebce60a25c75335d3d067541cb548b5ea6b2865c371f4eb

  • SSDEEP

    24576:wBRk6WvFq9FStU4gf2EW5A2DJr/kS4vGIk6v3Hbo:wUvF4h43Dp/wPHs

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\737c6a1212aa7f80fa49ac37872277b12c84f0dfcc2645733d2f6504fc4563ce.exe
    "C:\Users\Admin\AppData\Local\Temp\737c6a1212aa7f80fa49ac37872277b12c84f0dfcc2645733d2f6504fc4563ce.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\52.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3092 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\58.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4832 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2216
    • C:\Windows\Server_Setup.exe
      "C:\Windows\Server_Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4484
  • C:\WINDOWS\Hacker.com.cn.exe
    C:\WINDOWS\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:3124

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      ac572cbbc82d6d652cdbe2596aeac4ee

      SHA1

      a631b27cf33fe134f42ed411d7ea06c21df41ad5

      SHA256

      50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

      SHA512

      070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      ac572cbbc82d6d652cdbe2596aeac4ee

      SHA1

      a631b27cf33fe134f42ed411d7ea06c21df41ad5

      SHA256

      50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

      SHA512

      070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      d0841befc978ecc9c39e76282cc344c5

      SHA1

      04985576bd14143092b86a15ec1e939f67c5a612

      SHA256

      ba90ac662eaa5b61bb1048f8e18dd94cd3fc51239928746f8e1c3a34dc81a342

      SHA512

      61b375cdbda4246a7eb3f3b9d5db0bc8581ba97aa9bce682fa837fb88da66a6dbe9544fa9407d6e8f2e241e86f96278cc7f28995af8d866759f0f0ce827501aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      fd13cf1f67ed5c64521c42b9185fc6d5

      SHA1

      ebe00dcb4149589722ea0ea01daa82ebe7f2d228

      SHA256

      654dfe73d556664dc52abcd46ab8e6ac28c66a303db5644a24c7ea80baec35b6

      SHA512

      50e9df0358249f01511e2cfad0e7eedb93cebbfd941b49b11d39e17359d6f9ea0d0f4d7de33ae6c1e6afe8b0edc1cba406693af2dfe48961d54662938020ff6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1064572-7534-11ED-AECB-72E5C3FA065D}.dat
      Filesize

      5KB

      MD5

      46aa9eed6ae6d53b5490a2284cd97b6f

      SHA1

      59e0f652fbd6216483da79d0cac7d96262f81445

      SHA256

      d3d940c2b56a76a557ca3039937ad6b61e4c3fb0780966d3498ea594743b6775

      SHA512

      6533b53f928a0f5bad254905d1303dec2cf4c9927d1849be9c7425a59b263de75250a5e1c537fd8b3d84c2d09da046d93453c5e5b0301049622cd45432e4ddb3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E119598F-7534-11ED-AECB-72E5C3FA065D}.dat
      Filesize

      4KB

      MD5

      9edb0c78fd2c01c1419d731973239612

      SHA1

      5ef13324993b3543b9beea24e3cd199779152daf

      SHA256

      03a521db24399b6474ffce93ed088031405c300160df3682a69fd46fc73a20b1

      SHA512

      42ca26bca0b3ea5313160f9db27553eb2e903953e53f9526174133ca87dfc146f31fb5c7a26c8ad80bf44b08d5e42615d18ffe01b3bd9afd1097bd8c6202146a

      Download Submit

    • C:\WINDOWS\Hacker.com.cn.exe
      Filesize

      743KB

      MD5

      d73581301782149d24383e602ea604b3

      SHA1

      96b73a0255647f1e5d36041c91d8333dede16aec

      SHA256

      70f71fbfcab11a348aec03075d768530cacc29f6fe2fcf626e0a9a1fab87cde8

      SHA512

      d9c4d13b1db7b9609ac5107200e786149a5db351c6cabfbb1d8f0734dfbd866a8cd8edc080ebd0d07bf23968850ed4ddb60c51d078acae9c92f8892c8bcc00fb

      Download Submit

    • C:\Windows\52.gif
      Filesize

      218KB

      MD5

      9f8c87ada1d5384d534a30dd74a87a46

      SHA1

      a9afdbdf992cec7d2d305bfdf89d59d2dcd2133d

      SHA256

      936cbbb74fa6642ed2f6218cfd1f0d6e465e126726653445296b398aa4e8f276

      SHA512

      4e0a3f36d54e0f34363556fe9f06b4ea95193e879a8ab3acc12044b1e9678e58f901a3e632a3d332e10d42a83325699b85d94bb31f08f71252924165ff35d6e1

      Download Submit

    • C:\Windows\58.gif
      Filesize

      17KB

      MD5

      41bbaf8278772dc824bb8ea9fdbc154f

      SHA1

      4fac07e27ac17a67374a083e5a907ca4d5314729

      SHA256

      150adea695face4e177ab81a93e0ec557df23cf7a842edd0a1e9edf54ce902f8

      SHA512

      365acbe1d88023fc541c8f0083a88c20d9c5ff5171f1838c012fc4202870a8ff678e8d8e0b7eabd7b924a7857c2b20b8111ff6a2d28c5993f5e099210cde82af

      Download Submit

    • C:\Windows\Hacker.com.cn.exe
      Filesize

      743KB

      MD5

      d73581301782149d24383e602ea604b3

      SHA1

      96b73a0255647f1e5d36041c91d8333dede16aec

      SHA256

      70f71fbfcab11a348aec03075d768530cacc29f6fe2fcf626e0a9a1fab87cde8

      SHA512

      d9c4d13b1db7b9609ac5107200e786149a5db351c6cabfbb1d8f0734dfbd866a8cd8edc080ebd0d07bf23968850ed4ddb60c51d078acae9c92f8892c8bcc00fb

      Download Submit

    • C:\Windows\Server_Setup.exe
      Filesize

      743KB

      MD5

      d73581301782149d24383e602ea604b3

      SHA1

      96b73a0255647f1e5d36041c91d8333dede16aec

      SHA256

      70f71fbfcab11a348aec03075d768530cacc29f6fe2fcf626e0a9a1fab87cde8

      SHA512

      d9c4d13b1db7b9609ac5107200e786149a5db351c6cabfbb1d8f0734dfbd866a8cd8edc080ebd0d07bf23968850ed4ddb60c51d078acae9c92f8892c8bcc00fb

      Download Submit

    • C:\Windows\Server_Setup.exe
      Filesize

      743KB

      MD5

      d73581301782149d24383e602ea604b3

      SHA1

      96b73a0255647f1e5d36041c91d8333dede16aec

      SHA256

      70f71fbfcab11a348aec03075d768530cacc29f6fe2fcf626e0a9a1fab87cde8

      SHA512

      d9c4d13b1db7b9609ac5107200e786149a5db351c6cabfbb1d8f0734dfbd866a8cd8edc080ebd0d07bf23968850ed4ddb60c51d078acae9c92f8892c8bcc00fb

      Download Submit