Overview

overview

8

Static

static

c1f2bf4d92...bb.exe

windows7-x64

8

c1f2bf4d92...bb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1f2bf4d9274c2b003dc3b18a0033d6911df7ddc1eb1671697e1e6113cd330bb.exe

  • Size

    100KB

  • MD5

    1fe251ce38f5d224a32c11363b5ec0df

  • SHA1

    5300c08cebdd3aef4b311358ef45b9dd81498ebd

  • SHA256

    c1f2bf4d9274c2b003dc3b18a0033d6911df7ddc1eb1671697e1e6113cd330bb

  • SHA512

    a14492ad2a55717729c191e3c67d0d7b0c7431a0fc89c9c8c3673f227eb87d5dba7e1770e882841e0007fbe4547e520b692a74ef88448a821b6692a467518676

  • SSDEEP

    3072:DGu9BlfzWIbXWm+w0JPU5CTkHlT1l1O9TEF:D/0uo7KHlJb

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1f2bf4d9274c2b003dc3b18a0033d6911df7ddc1eb1671697e1e6113cd330bb.exe
    "C:\Users\Admin\AppData\Local\Temp\c1f2bf4d9274c2b003dc3b18a0033d6911df7ddc1eb1671697e1e6113cd330bb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\System32\explorer.exe" http://browseusers.myspace.com/Browse/Browse.aspx
          4⤵
            PID:1092
          • C:\Windows\msupdate32.exe
            "C:\Windows\msupdate32.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1932
            • C:\Windows\msupdate32.exe
              C:\Windows\msupdate32.exe
              5⤵
              • Executes dropped EXE
              PID:832
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1608

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      f6dc62acffa02e7c028725887e3dcc95

      SHA1

      ced732b20f283468e146e9d8dd7cc1321aca2b81

      SHA256

      d58ec28dc8313e2e07ea86d649b56c096e499e418119e2acedabc6857cfa492d

      SHA512

      95d3f20b976a6af98ec9cd75917950da0d87f7470d7dd0b8ace5cebb419476bc7595fa248384f7511f3b7c26ef8689fbab9be7e9b1b76f78b2a1c88703c687fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3J0I3FQZ.txt
      Filesize

      601B

      MD5

      ad150e02d7514b149df4d4e377c77e67

      SHA1

      785b86ca12ecd3b54ed4cd0e26edd24a29a1a3ce

      SHA256

      08ffa00f367201548f2d2d8feda630beb9ec82bcb6deb6319287839d5ffc18b0

      SHA512

      8649509209848f0cbe4177b9757a2fa1554a4937c35a4e25432397db30e80bfa57161a1b0004d19c1b9d65b7f906bf7ef6326b50fb047fdea27f1cd8898e6218

      Download Submit

    • C:\Windows\msupdate32.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • C:\Windows\msupdate32.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • C:\Windows\msupdate32.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\myspace.exe
      Filesize

      55KB

      MD5

      f4e91307aaed1494cc03d9aaa03b04ec

      SHA1

      8e27c15a0ca0115db2b33fd33100bc82098cdaf6

      SHA256

      e8b0352753168b85453f016775d080d6aa18775e05164a199f8f8b53557149ba

      SHA512

      3e948cf51c99314fc38d8b31c8046dc544884eddddd1b16632272a25b99725cb821ab7c47da6584d52ee0dc3f8728d20c47963cea6e9be8708be580a640d37c5

      Download Submit

    • memory/832-90-0x0000000000405232-mapping.dmp

      Download

    • memory/832-100-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/832-99-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1092-91-0x0000000074421000-0x0000000074423000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1092-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1620-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1860-66-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-67-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-73-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-69-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-98-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-77-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-64-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-63-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-70-0x0000000000405232-mapping.dmp

      Download

    • memory/1932-80-0x0000000000000000-mapping.dmp

      Download

    • memory/2028-97-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

      Filesize

      8KB

      Download