Overview

overview

8

Static

static

9f1b3d95f9...3c.exe

windows7-x64

8

9f1b3d95f9...3c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f1b3d95f95512eb8a7d526ebd9b54cb40e7daa1f833c6a656dc0aba4668a13c.exe

  • Size

    50KB

  • MD5

    10e1a137110947fc22c8b4922b007006

  • SHA1

    60f588d712f15ba21983395f2725344de7e058bb

  • SHA256

    9f1b3d95f95512eb8a7d526ebd9b54cb40e7daa1f833c6a656dc0aba4668a13c

  • SHA512

    995381f1cafe9caced7230aba0ebe0f593fec8b2ac99a0003327371b010fa62540d726d415b2ee41fca7d3659069e2a6599e79b30e9e877f82084b648e276c10

  • SSDEEP

    768:itGgxXiFXYbgCRDBbDnDfHfRSF8IiDrmIihGVVu6YgxfLmneqvdvLAwF:kGglbgUBvjyr3hGVVu6YyTwhBF

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f1b3d95f95512eb8a7d526ebd9b54cb40e7daa1f833c6a656dc0aba4668a13c.exe
    "C:\Users\Admin\AppData\Local\Temp\9f1b3d95f95512eb8a7d526ebd9b54cb40e7daa1f833c6a656dc0aba4668a13c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Local\Temp\ins13E6.tmp
        C:\Users\Admin\AppData\Local\Temp\ins13E6.tmp linkp_gverych.tmp
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ins13E6.tmp > nul
          4⤵
            PID:1396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
          3⤵
          • Drops file in Windows directory
          PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4172
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
          3⤵
          • Drops file in Windows directory
          PID:3848
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://121.14.155.219:9091/report3.ashx?m=4E-F5-0E-B2-21-00&mid=21663&tid=1&d=cc7ea818f3eb454c74b0ad53ae45b456&uid=13729&t=
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4864
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2436
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3164 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:780
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9F1B3D~1.EXE > nul
        2⤵
          PID:3992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FD8AC3F6-77E0-11ED-BF5F-4EF50EB22100}.dat
        Filesize

        5KB

        MD5

        f953601d0d232f9515230ee9e8d2dc79

        SHA1

        3ba750970b9d4f2d486222405f992281d84e538d

        SHA256

        c32bfd5bca43ab1af6534447d1a2868583d34aa1b53ba25b995d20daaa356eb3

        SHA512

        bc2ace15b97614af7741bd6687d33a75b2814480131b1d58f86245bfd33ce928493f432e6ddf5bb3ab63e7f4c6c91b43e16fd568ae3d7fdf0993a1871e34559a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FD8D00F3-77E0-11ED-BF5F-4EF50EB22100}.dat
        Filesize

        5KB

        MD5

        a798d9348b826b3620afd535af8a9a8b

        SHA1

        cf6b4d7459fa1a36cc26e9e960f8bc23e0a03f6d

        SHA256

        93064c92ef47ae2a0586d4584019462136778072ab3b847a540c44707a56e0f8

        SHA512

        993c7bde3ae80a0b7805eb7a6203bd75975c60c6260e7d7a40aefa49fc6e2fadd8aa8ce5f3b3d41c23df5317efb302df4d2cc0f91b4203eb0bc789689ba31fb1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FD8D2803-77E0-11ED-BF5F-4EF50EB22100}.dat
        Filesize

        5KB

        MD5

        872c2db922f6e5abc48c2411d4b25482

        SHA1

        ebbb3d9dfa70c90bf25d766f65f56d29e2d1b82b

        SHA256

        14edd86c19bee82921ac32a69f8ffe017683e19d7ec54a1201a96900c978bb2e

        SHA512

        a85fe7314b4c7220d14d30cc5ff35eae313b5839d67e95e7ab0215d5abff9430618e4c67f6d9130d16ff9837d3c167750caa2c9374f020e0f511df0db4a9ce10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ins13E6.tmp
        Filesize

        57.2MB

        MD5

        94138c6b753877201f5f64aeed79618e

        SHA1

        90e57463c3b2985f7f9f927e991f8004402ad74a

        SHA256

        d101de7e9b1f6ba068064850f2b60508e4dbf304f533c5069228318d024d78de

        SHA512

        4f9eecbaccd487387a458757291efcd6f9d0500cef7fc2959dd785a26f567c083e43e2d15fea5af7c91bb1ad897f6b1889ee023521a70784ecfd0ef4175f98f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ins13E6.tmp
        Filesize

        57.2MB

        MD5

        94138c6b753877201f5f64aeed79618e

        SHA1

        90e57463c3b2985f7f9f927e991f8004402ad74a

        SHA256

        d101de7e9b1f6ba068064850f2b60508e4dbf304f533c5069228318d024d78de

        SHA512

        4f9eecbaccd487387a458757291efcd6f9d0500cef7fc2959dd785a26f567c083e43e2d15fea5af7c91bb1ad897f6b1889ee023521a70784ecfd0ef4175f98f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\linkp_gverych.tmp
        Filesize

        706B

        MD5

        43a67a3601797b487041c505bc77969e

        SHA1

        01e3c2a53271efd585045c7de9e012b37c18dcef

        SHA256

        771a33ad0d463ed7444d424e73e16d4c9b63513ed9d3a9a53e8dbb8c4d050569

        SHA512

        f8f4b7c5640e366449f0d6594622e9323ba22a30be7e8594beb9fc6fbe8a2e01f68aca008e088ce10e36ad33c19562e8ec45fc2107db352220b1eef8f7d21f55

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
        Filesize

        63B

        MD5

        3e17df8d308157e1b4455725ec513e72

        SHA1

        a51c8a3e064e0fb61fff5b52eb6b0bdc270ce12a

        SHA256

        fa7e201c9309bfc0bebfa074a2cb6e42b084866fd6726a9fc15de076a33a7492

        SHA512

        90d408932628982bc1516b9a196bc5cfdb7041aa1fdba2b188974b9381c9f28ecb7d828d88692d65b610db730a008b5493088830fb86201e676f325ff73e26a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
        Filesize

        94B

        MD5

        d5fc3a9ec15a6302543438928c29e284

        SHA1

        fd4199e543f683a8830a88f8ac0d0f001952b506

        SHA256

        b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

        SHA512

        4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
        Filesize

        98B

        MD5

        8663de6fce9208b795dc913d1a6a3f5b

        SHA1

        882193f208cf012eaf22eeaa4fef3b67e7c67c15

        SHA256

        2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

        SHA512

        9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

        Download Submit

      • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
        Filesize

        154B

        MD5

        8d681a59ea75e91f730bd9ce3c42e514

        SHA1

        9d426029daeebf03c9053761e0e5a9f447f98e9c

        SHA256

        afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

        SHA512

        ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

        Download Submit

      • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
        Filesize

        155B

        MD5

        5a17106c27138df10448c2c3be95f399

        SHA1

        56acc2ed4fea4171127a13dcdee08bdd39d674d6

        SHA256

        c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

        SHA512

        1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

        Download Submit

      • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
        Filesize

        156B

        MD5

        8a275b261afcc166671132b6f03831e4

        SHA1

        03ac21edc1de2df748ee3a301a6b3de989c423c3

        SHA256

        0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

        SHA512

        269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

        Download Submit

      • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
        Filesize

        158B

        MD5

        d645085ab92574a2a17abd323415dde5

        SHA1

        49ebaa4499cacd9256f270f35f31684b7cd195b1

        SHA256

        41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

        SHA512

        a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

        Download Submit

      • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
        Filesize

        157B

        MD5

        993f72a439a3301caeb969c7faa7a8b9

        SHA1

        176244349a0463cd0fc38cad426d89dc3b055311

        SHA256

        b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

        SHA512

        c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

        Download Submit

      • C:\Windows\LOGS\DPX\setupact.log
        Filesize

        167KB

        MD5

        bd8df11305d1c60e3182674a4ab5e22f

        SHA1

        c384ee743a607ed1faa63d78eebab912d82979ac

        SHA256

        3fd14d59e5804919454a343bb7ff0e63159a178b1b14dedeebb047ef26aa9f0c

        SHA512

        e34b7037ae8f8c465c615ada3a28144a81cfcc8d2ce49c720ab805d44f297c220eb77e73840a8af8bc7cd2c86d8ff561554523422522f4200c5238930614121e

        Download Submit

      • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
        Filesize

        475B

        MD5

        7435d786e086d63639c02a3f39cecf84

        SHA1

        a4d70109c0099e46e2cb17c92c1eb901b0744d46

        SHA256

        376c35bd15ab9fb651cec5008e8ad5b5b894a5219a1f887199971a0c5a5c2598

        SHA512

        3db60a0722b302bf48725e9cf78b2683e32ffd65a6f7bebb218eb0e0d2db1922b64678636013d9bf83368e5f5f64794678a9f657897bba541f2749b71da09edc

        Download Submit

      • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
        Filesize

        425B

        MD5

        da68bc3b7c3525670a04366bc55629f5

        SHA1

        15fda47ecfead7db8f7aee6ca7570138ba7f1b71

        SHA256

        73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

        SHA512

        6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

        Download Submit

      • memory/3676-148-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download