Overview

overview

8

Static

static

e33f409856...5d.exe

windows7-x64

8

e33f409856...5d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe

  • Size

    569KB

  • MD5

    7fd9af1c1a854f847f2ffe95458dcfd9

  • SHA1

    7c8b78682ab85ee6a2e2800485d6889560490cc7

  • SHA256

    e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d

  • SHA512

    c53eeacad56a512bdc55f92a463b6d8f5858cdd900027b5ef250b9af64e1f36ec91f888d74dbd0245058cea7dc646e6c074315d3f71ad4eaefda8c7fd5c180d6

  • SSDEEP

    12288:f3nZMhJ+ubN8pqZP9keT9hbdotzjnzrrm837L+R/4YjunOL0vyqqaw:f3nZqfb+pqZVkeT9hbmzPmHtvun8ww

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe
    "C:\Users\Admin\AppData\Local\Temp\e33f409856880d6d18e9d0e02f6afa7d8d486b46540afa3408283234bc9ae65d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\wina.exe
      "C:\Users\Admin\AppData\Local\Temp\wina.exe" -papapa
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\svghost.exe
        "C:\Users\Admin\AppData\Local\Temp\svghost.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        PID:4376
    • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
      "C:\Users\Admin\AppData\Local\Temp\Tibia.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\updater.exe
        "C:\Users\Admin\AppData\Local\Temp\updater.exe" 0;0;1104;2300
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
  • C:\Windows\System32\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
    1⤵
      PID:1520
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3776
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3792
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:4232

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
            Filesize

            343KB

            MD5

            4ff5f5486f49137cf5919acf6dd6a99b

            SHA1

            aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

            SHA256

            f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

            SHA512

            b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tibia.exe
            Filesize

            343KB

            MD5

            4ff5f5486f49137cf5919acf6dd6a99b

            SHA1

            aa3b3c6ba4e3ae5f064c41224a5f13ab19196eab

            SHA256

            f7814fd9fa75c0468cd16ffe356a24c352b5539897e3789c09d5139a8bf3d8d1

            SHA512

            b246886aa1aaa3f18171f8d0d91de655673228cbc1ae63415b4da611e8db0b8e8f93e8c63e0c0f80768e0fef6b330d8fa7136737a1f52066f2f2f8a5a2ef2522

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svghost.exe
            Filesize

            501KB

            MD5

            a252c588ae7c5ef6c86be590c86a9c8e

            SHA1

            232bfa074deeea0d1435e42abbf5b57e75eb7e12

            SHA256

            1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

            SHA512

            619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svghost.exe
            Filesize

            501KB

            MD5

            a252c588ae7c5ef6c86be590c86a9c8e

            SHA1

            232bfa074deeea0d1435e42abbf5b57e75eb7e12

            SHA256

            1ff274c6278f14fd8baf282c148f3ee22a0de50810bd1f74a8163a5b2b927983

            SHA512

            619f40c7d5f985574c46d43d83f50d3d6e64dcba048812f9c3e32d52a4afd37d60524ef921b9cea9c4109ef904300fb1a776fe1239a2fadac26fdc712406371e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\updater.exe
            Filesize

            88KB

            MD5

            b2424fda6bec648a48263784e27722de

            SHA1

            4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

            SHA256

            ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

            SHA512

            8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\updater.exe
            Filesize

            88KB

            MD5

            b2424fda6bec648a48263784e27722de

            SHA1

            4fb66ac21edd9b3243c36ce2f2c32cb7270e007b

            SHA256

            ba0d15bec9e42159c9675eabea6a8ef068906fb324b6716f54345a87f81a1731

            SHA512

            8b86f8c9b372b94c66185ffd94ca2e5ad66be576afba2327814a10fd131bd1e38f4bab92459570023328264b9faf687292e04ff37e25ef2d3d76b09fac8bee30

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wina.exe
            Filesize

            220KB

            MD5

            dc693b8d851d7474685d27767e9944d2

            SHA1

            6858885841bd97337984f0179fd0e7437a39db97

            SHA256

            0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

            SHA512

            afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wina.exe
            Filesize

            220KB

            MD5

            dc693b8d851d7474685d27767e9944d2

            SHA1

            6858885841bd97337984f0179fd0e7437a39db97

            SHA256

            0f69b4596c396fe700e33eb19900f718e65cb3e449f9c9e5f04d63067359107d

            SHA512

            afb93f3bd6e8b30e4c22868381295325c239dbc830191f389f7c31df1fefade599b78cd4cf44cbc099500bd73fc2343fac7ae1a4469e7510fc0fa59d6ce52ad7

            Download Submit

          • memory/1732-147-0x00007FFD3FD30000-0x00007FFD40766000-memory.dmp

            Filesize

            10.2MB

            Download

          • memory/2300-138-0x00007FFD3FD30000-0x00007FFD40766000-memory.dmp

            Filesize

            10.2MB

            Download

          • memory/2300-143-0x000000000178A000-0x000000000178F000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2300-148-0x000000000178A000-0x000000000178F000-memory.dmp

            Filesize

            20KB

            Download