Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 10:39

General

  • Target

    858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe

  • Size

    435KB

  • MD5

    dde59803ad21998c769f45975bc028eb

  • SHA1

    058b4c801773d6acd2e1a4a4d2fc51698090d05f

  • SHA256

    858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3

  • SHA512

    fc1debe4b2648c5f08d9ca5f2ab212009f847681cb6c0a37953806bec981869687f12b0e697305a526b1ba984309335fee56f19419fbc94cd5282d6141ce3171

  • SSDEEP

    12288:gG4vQqF148+hgIWOMaAto70A1BbZq9kl4M:mr42KMaxp16M

Malware Config

Signatures

  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe
    "C:\Users\Admin\AppData\Local\Temp\858887b380596f12cbe30e3392b88ce7f8a9db25955034d94ec2a772d9a01ab3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\windows\system\Isass.exe
      "C:\windows\system\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      PID:592
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\windows\system\cartao.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    92e3a0c7a5ba35f16fde2166d7da0b0d

    SHA1

    9688a27a9ce5f8338b3cd555fac9500a947427c9

    SHA256

    e018076f8a5c61a2bf2375f5fc3acf3e42531a06e8186ccb1a8202641d76d86e

    SHA512

    31760f5d922030db57fd02e95e5c09f973caf5d8e353d07ba95252939a6efaf70e1d5ec90d595135556f8336c641983dfda1e0af268b6f94ca81a8ee6e6b58f7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YR60PAS1.txt

    Filesize

    608B

    MD5

    a13b74e849b253652b1ec9a6f9b5e51e

    SHA1

    5d4f9176dde67228ad5eea0b95b95f226b21bcce

    SHA256

    b7ac35452942e8100e4e8071cb4f21d45f571d85d0259d4341a663e72143bb0c

    SHA512

    c2c707ff2a428b91581d6760e1c3e4f2ffa9d205b1f55bb6bdb1ada6940663765b2a505d7561905a88fea4d1ba572dcc6612e78afbef76412e919a9ac8fdc1b6

  • C:\Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • C:\Windows\system\cartao.html

    Filesize

    68B

    MD5

    2152787342b7e99c8c6adc6a2430183c

    SHA1

    f9a8dab3a4a08fe6af0eadcef06747cbd9c5dc11

    SHA256

    fcd6ab594cf573d80609fb22ed43db08607c32da469ce930f783668b25146775

    SHA512

    83489261f15bc9f2352a9246686cf2a091d078d90344975acaac1658743b9a5176ab36b53bbba04c1a75dd1fb6076c029cc723111d0565bb940ec5ea0d0d9511

  • C:\windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • \Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • \Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • \Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • \Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • \Windows\system\Isass.exe

    Filesize

    374KB

    MD5

    8e84e918828c24aa20163f099802eda1

    SHA1

    db2a492e3b1cd9f137bdb8567578e5116b321342

    SHA256

    db7a049e95a848a3b54d53c751803950cd20ce4185bd2ad30bc3d6003eefcd93

    SHA512

    68af9f490973adb8a7020c9bc2e622aa38bfd6503d5c2a6978e6d27e976f966bb6aa70bdd3ae4912c1e1046fb5357a24e5aaf5c0069dff5351c8e81638591135

  • memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB