Overview

overview

8

Static

static

1

86f757ab1d...d8.exe

windows7-x64

8

86f757ab1d...d8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe

  • Size

    346KB

  • MD5

    0f34cb1f25ba4b48360fd98b7cab5a10

  • SHA1

    93de67f7ac7ebb72b801c7c098bb59f29a7a8fce

  • SHA256

    86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8

  • SHA512

    70b052db42277dd3e743243157fe8c4d1bc40aa32092338f7302ccf0e5bb6ed25c7c71f02afe0ae67744ce43b05378edd3e029be42573cb79abc7d0b4ec27ed0

  • SSDEEP

    6144:ye34e5MvlhNC7JuyKAs8LG9R3HNe76JvML/9c7Cr7Ob+FT:ny+YyXSvi2v2ICvOb+FT

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe
    "C:\Users\Admin\AppData\Local\Temp\86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk37.icw"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk37.icw"
        3⤵
          PID:216
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1540
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2324
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4056 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3672

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\EditPlus\kk37.icw
        Filesize

        132B

        MD5

        2c105f3c5da6702374835cf5d390700d

        SHA1

        cce2cc2cde133df4772446886acafac5042fe9c0

        SHA256

        033154bd33107aea0a6b0755584d2a047c4b201f51a7134929dff05eeff1e8c9

        SHA512

        505718bab301903a75540c28b1e2a54f18e15fb0267770b7a6f986f5bdb62a7e1c6511dd987c23f2ea978be3541a80fc4ffd7a71b6fe4a51a06b1d401eea93f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsbF0DE.tmp\System.dll
        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsbF0DE.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsbF0DE.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        acc2b699edfea5bf5aae45aba3a41e96

        SHA1

        d2accf4d494e43ceb2cff69abe4dd17147d29cc2

        SHA256

        168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

        SHA512

        e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        Filesize

        44KB

        MD5

        7c30927884213f4fe91bbe90b591b762

        SHA1

        65693828963f6b6a5cbea4c9e595e06f85490f6f

        SHA256

        9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

        SHA512

        8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk37.icw
        Filesize

        840B

        MD5

        669a1a6d8d3c2d7dd22c513bb4ea9f2f

        SHA1

        c009a8caceeeda334d7bbad63b79b68635ff5b6d

        SHA256

        aeb3c5fba20401f514bb270132a380aabcec600d8d7e8a69469a17df5e11a7b1

        SHA512

        08db47ef0811b8072db6ed8514637f97b7fa65d4dd67da5f5c2c496c8963c02fa3a09d6874811c65a681bc6d9a531495e36bf5b05dcd75484694f40e5c054ce6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        5be4eb5fdadec491b400154856934411

        SHA1

        08fe0f77953b2f9551f31b866af1979abf17fb76

        SHA256

        4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

        SHA512

        d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
        Filesize

        80KB

        MD5

        5be4eb5fdadec491b400154856934411

        SHA1

        08fe0f77953b2f9551f31b866af1979abf17fb76

        SHA256

        4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

        SHA512

        d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

        Download Submit