Analysis
-
max time kernel
182s -
max time network
205s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
04-12-2022 13:39
General
-
Target
d78bb6b2684b841cbcffba8fc8e5448b112faeb617393d0cd2117cf94a2d7b19.exe
-
Size
718KB
-
MD5
56ea21d593c57095797ac79dc03bd4a7
-
SHA1
76d220d9af6e161b5642456ae9806c9e6007b665
-
SHA256
d78bb6b2684b841cbcffba8fc8e5448b112faeb617393d0cd2117cf94a2d7b19
-
SHA512
b419e3842b83564a1551b342712bb5f6006d3ad9a056adf4a6da6c9c4a28d57380fc0655ac43ab5ce2a18cdeb837108685c0b2da961a9399179be52ee90c3903
-
SSDEEP
12288:4eKrJJuf86AYcwo8oSAcNEMZMAFOVhEce7Zaxb7eInfX6Kt6supy3HZUvz30:4ruf/AfwKcLLFRHZaxb7eoKqZUvr0
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 12 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies registry class 18 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d78bb6b2684b841cbcffba8fc8e5448b112faeb617393d0cd2117cf94a2d7b19.exe"C:\Users\Admin\AppData\Local\Temp\d78bb6b2684b841cbcffba8fc8e5448b112faeb617393d0cd2117cf94a2d7b19.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.jse"2⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g93⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\baidu.exeC:\Users\Admin\AppData\Local\Temp\baidu.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\d78bb6b2684b841cbcffba8fc8e5448b112faeb617393d0cd2117cf94a2d7b19.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 4 127.13⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
342B
MD595580f0b53e9e83abdb552d66c8c829e
SHA15f359522b7a02dc5a01c570056e22fde143ddc83
SHA256a890214c71c05fd9db5509f47b8f86b62a200a578904ecc78f6b521d57f52998
SHA512dca353fb865344570395e1d8d6d795976dc8e05b5a8ea275a4f7675b98de414e6a51d4634230a732dff603e405a91039695978b8eed766f3b4b1d4c6935ba0a0
-
Filesize
342B
MD50c242d1eac7d356fd236242dc1d9ada5
SHA1b77dc838f3c5ba1f4a47e71fd5a7a4221b99c316
SHA256ec2871ccb17864d6c980abdd123a71ac1bf77c7616ab301e468313d503222690
SHA51205a4707238f677cb1079d31c7c59b48b6e7bdbc634d2cdf1df394bad9e22af308e5955b9697fb46534b4060699b996fa307bef2e1afd401bb0bd3e9b3792c4cb
-
Filesize
342B
MD5c8922e63ec6e982aa6c8bdb829de24b0
SHA1fc7416a3c2cdf3d0b185007afc6f7f65fc3cfa06
SHA25656087479eded3fd2b7eab15fc4e7213b8053be61c4855c34ce6dc8a290a2666f
SHA512569e6573570a25f0febfd17bad1d99a13cf268992d4bdfe9b8c63edb2dbb0ed57bd8d031fb38920f48058dd26f52173b6227b60f93bff3ef4cef50434f86be1b
-
Filesize
342B
MD52c34daa60d9aeda1516ec9c606b2342d
SHA1d9dfd94787aa5aef4d1d8ee82583c31bded52ea4
SHA256432e379bb7484c078152f81d10dc62b5ba564f35214fce435d4665ee6182fdae
SHA5126de2b7bbe15956b6ed036af1068cba90a3338ae54afabb6099e7fdcfa1902ad29b473b6f5adc0ce30c9e32ffe4ff50abf7eb81fe0348d36cbe672a17118b8a71
-
Filesize
342B
MD51de7592653c7c97ff525440d7c537260
SHA13c4758605dd60f58130d84c696aa1267bb83cc52
SHA25647b77b8dee83d38323d33e47ad7481267a61ca3c78a92c7f6b354d5d1074725b
SHA512ef5b5c973efea1087d971b081b7627f0556f711f689b013597ee69e7502e4b8aec34d5c749171ba264d583b50ab3d534ee912a7f5d411a5f69726e9cfcbee58f
-
Filesize
342B
MD5c9d92b7a3b9f06cdca958e732562965c
SHA106fc5660584f70809e4688482608c74344cf347c
SHA256df4158e467227145b42802c901af3e9f5aa573b784729447310ed67e42cb3c8a
SHA5129634970e7aea5cccf1b01c0ae33f8bf662230ca70954a04b87d015930f5a50f2b5adc4db4eacba8d86c0a97085008babd97483f2c9c6cd807da3a7ca83b67f2f
-
Filesize
342B
MD52dc849c92f1e41697d25fc10fc426b23
SHA144befa9ad4e0490feca2c0c7bc2c353db0bae789
SHA2567ffae4074412a78dbaf4732694982eae718c51c2095d5bfbde5f259dbba50138
SHA51290b11b8baccd048f135678d2e4a2b85f87ae70955c5a3326db056422571a0cb9e04df673e355a08ac32cc4b2f42291b6e82a515130b1e0f194540778491f6162
-
Filesize
342B
MD5d912db21eaa5dc1891008c0558be3ab3
SHA157c42bb9987ea2390e91cb6af4057ffcf365e853
SHA25693ac9a141a4d894b48cebfe8a648df0d92193a981c42b0b6410ac29d000c50ca
SHA512588fdbabc00a1c3e8a9f4b0e2b5515746ecf40dc33979419e17b1bc07d10eff8abfa486460b488ab415b777f3b83ae5c01672f7b7bdc3fc4cc79b89086533e1f
-
Filesize
342B
MD509dae38b590f6da1585511a65440f0f6
SHA112ac474762c7d845b3559341f946962b10eb4276
SHA256086a1e1483915c26dcd28617e9cd90345efe97ab434835f6d8a95a4676f203b2
SHA51252c5b770fff04024e9f34decd0d8a988f526ef4e2a39fa590ca88ff9dba80f056f40b76020e06d922be9aa0091908fdeda48cc55af3d1fba71f09db03889eb39
-
Filesize
342B
MD54dd184384c5ad0bc39e5ccdb1c19fe58
SHA1246dddaab17d521ed1e278d05424b4fa445bc13e
SHA256e5d397895348d8f225625084c875a2bd10b1606e587e57c894e4c89f07eb6b67
SHA512f4eb851af99c11184f254b58c389e200a853e50c50fddb0752f14d19f832562e38e6db0fd321003822f8364700983bdfe3b0426fee3804816bdfb8ec164d6473
-
Filesize
342B
MD5c2b1ba53c3108be2d156aa993504dc8a
SHA103ca30de5fa63e7dc8469fbc5c7c5d2376794ef1
SHA2565c2ccfcff8b5feb0dbcb6d76598b3a41a4bf57da55aa02579f507ebac6d080c5
SHA512ed13103cd515cca9d7274b45939a67809a68c29753cedbabf1c655d45ae9b917552e3af1e20f42198c2c726d9a5c29645d35f77f0c7e0af858e3858983bec96d
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
Filesize
7KB
MD51c31e476241294110eeedeeee5518185
SHA1d6d16ff5949111243addd0bfd6f1c72ab3b742af
SHA2565bf284c882b106d714b5a9cb353a80a9fdd0cb5bf9e8ebb6e2fb444617d86bca
SHA512a135c9b2a700df76412a9a485f3364f00fd04966c3831aa0b78d19e15506caad0600fd1ac695fc49e700350a2aeb43dc0fbf5929738d1e9baf6630e052f39b90
-
Filesize
608B
MD59cc6d6826a39003bc0a196c395abec7d
SHA1c27ae8b4d4df7d921a61cdde521a4c48250806b9
SHA256c54d6347b22432988690244ca450793c87fcbd8dbeda1a1552036958cd954838
SHA5123a223191fe01ed2042e9ed9f89026822e2e3734069b7c4e0aa377a0a845275bece9693ca2abc25a20dafd6ab69593a46eb7f78eb54edde7c896acc1508be4dd2
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
Filesize
456KB
MD5b7456a4b1831ea2828d3094ec59b7070
SHA1f6330c503f668a4e6b3ac3408e5a62841159bd1d
SHA25667cc2405420fa1f04e3ac88228708d903390d14fed2481894e133cd9caca17d0
SHA5124c103cccb44841403416bf450eb05d7909e770f7f5ece36a44aa9af9184b0b839cf2920ec9a647e83b076a4f7a7af0c0611c14319c7f8729a9d3e2ef6db8c993
-
-
-
-
-
Filesize
708KB
-
Filesize
8KB
-
Filesize
708KB