Overview

overview

8

Static

static

ad107df79f...da.exe

windows7-x64

8

ad107df79f...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 13:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da.exe

  • Size

    273KB

  • MD5

    0cce532e234e980666db7ac207677b99

  • SHA1

    877550b13b48343d9fa2023243af998cf6554715

  • SHA256

    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da

  • SHA512

    619316062c077c9bbcbb96742364f6fa7445a3027f7a05c75558a96e7d589199a7d4829a24fe90169d4bfccce51967d8f9e3d8c9e87e6a2f923cea4732a2556b

  • SSDEEP

    6144:9MhiBs/ijJhu4Ab4CPfNjJjmQcYKxvpoyqMfz5Ak:9MhiBs/Ouh/x4LqMrn

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da.exe
    "C:\Users\Admin\AppData\Local\Temp\ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\LayerYahoo.exe
      "C:\LayerYahoo.exe" C:\Users\Admin\AppData\Local\Temp\ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      PID:2040
    • C:\LayerYahoo.exe
      "C:\LayerYahoo.exe" rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files\PersonalGoogle.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}" /v "Compatibility Flags" /t REG_SZ /d 00000400 /F
        3⤵
        • Modifies Internet Explorer settings
        PID:1168
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
        3⤵
        • Modifies Internet Explorer settings
        PID:724
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s scrrun.dll
        3⤵
        • Modifies registry class
        PID:1528
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
        3⤵
        • Modifies Internet Explorer settings
        PID:1760
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /u /s itss.dll
        3⤵
          PID:680
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
          3⤵
          • Modifies registry key
          PID:1476
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
          3⤵
          • Modifies Internet Explorer settings
          PID:1792
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
          3⤵
          • Modifies Internet Explorer settings
          PID:1916
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /u /s vbscript.dll
          3⤵
            PID:948
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /u /s itss.dll
            3⤵
              PID:1508
            • C:\Windows\SysWOW64\reg.exe
              reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
              3⤵
              • Modifies Internet Explorer settings
              PID:1512
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32.exe /u /s vbscript.dll
              3⤵
                PID:1600
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
                3⤵
                • Modifies Internet Explorer settings
                PID:1160
              • C:\Windows\SysWOW64\reg.exe
                reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
                3⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:1724
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d no /F
                3⤵
                • Modifies Internet Explorer settings
                PID:1812
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32.exe /u /s shimgvw.dll
                3⤵
                  PID:1756
                • C:\Windows\SysWOW64\reg.exe
                  reg.exe delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
                  3⤵
                  • Modifies registry key
                  PID:1736
                • C:\Windows\SysWOW64\sc.exe
                  sc.exe create ccosmSrv BinPath= "C:\Program Files\StormII\stormSrv.exe /asservice" type= own type= interact start= auto DisplayName= PoliceError
                  3⤵
                  • Launches sc.exe
                  PID:624
                • C:\Windows\SysWOW64\sc.exe
                  sc.exe description ccosmSrv "Contrl Center of Storm Media"
                  3⤵
                  • Launches sc.exe
                  PID:2044
              • C:\Program Files\MiniError.exe
                "C:\Program Files\MiniError.exe"
                2⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                PID:1628

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\LayerYahoo.exe
                    Filesize

                    24KB

                    MD5

                    52d65eb8ff6c081627d4233c6ea089bd

                    SHA1

                    76c254ac29b19d6e98baa211ad9e5576c3828ba2

                    SHA256

                    6379279130e58dbfae8e2c8edd6b63d74908588835eb58484e693a693eb5c180

                    SHA512

                    2a668528ccccc5e408f9de0ab8887e8aba779b148bfa159a295d66a6565d1bbb5880c860fddf8aa823c7b999d6c04f9e1928aea61dce462d2f4207128bb5969d

                    Download Submit

                  • C:\LayerYahoo.exe
                    Filesize

                    24KB

                    MD5

                    52d65eb8ff6c081627d4233c6ea089bd

                    SHA1

                    76c254ac29b19d6e98baa211ad9e5576c3828ba2

                    SHA256

                    6379279130e58dbfae8e2c8edd6b63d74908588835eb58484e693a693eb5c180

                    SHA512

                    2a668528ccccc5e408f9de0ab8887e8aba779b148bfa159a295d66a6565d1bbb5880c860fddf8aa823c7b999d6c04f9e1928aea61dce462d2f4207128bb5969d

                    Download Submit

                  • C:\LayerYahoo.exe
                    Filesize

                    24KB

                    MD5

                    52d65eb8ff6c081627d4233c6ea089bd

                    SHA1

                    76c254ac29b19d6e98baa211ad9e5576c3828ba2

                    SHA256

                    6379279130e58dbfae8e2c8edd6b63d74908588835eb58484e693a693eb5c180

                    SHA512

                    2a668528ccccc5e408f9de0ab8887e8aba779b148bfa159a295d66a6565d1bbb5880c860fddf8aa823c7b999d6c04f9e1928aea61dce462d2f4207128bb5969d

                    Download Submit

                  • C:\Program Files\MiniError.exe
                    Filesize

                    273KB

                    MD5

                    0cce532e234e980666db7ac207677b99

                    SHA1

                    877550b13b48343d9fa2023243af998cf6554715

                    SHA256

                    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da

                    SHA512

                    619316062c077c9bbcbb96742364f6fa7445a3027f7a05c75558a96e7d589199a7d4829a24fe90169d4bfccce51967d8f9e3d8c9e87e6a2f923cea4732a2556b

                    Download Submit

                  • C:\Program Files\MiniError.exe
                    Filesize

                    273KB

                    MD5

                    0cce532e234e980666db7ac207677b99

                    SHA1

                    877550b13b48343d9fa2023243af998cf6554715

                    SHA256

                    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da

                    SHA512

                    619316062c077c9bbcbb96742364f6fa7445a3027f7a05c75558a96e7d589199a7d4829a24fe90169d4bfccce51967d8f9e3d8c9e87e6a2f923cea4732a2556b

                    Download Submit

                  • C:\Program Files\PersonalGoogle.bat
                    Filesize

                    2KB

                    MD5

                    6088bef2dfbe0a88a399b120cc71ca9b

                    SHA1

                    dadf2f7a04b499e840e60af7648c7f00d8f7ac2c

                    SHA256

                    ec34fc17c535bfc868037f41a136e5546b010848a6ea095886b3df9a37173ffb

                    SHA512

                    aa3a2c73567a5f205d66be2b6792be49451e33de611e19d991a024c59c878326f10314eb5be27f6de5fd18e451d7523f16169a1e916c9a172ce81c132129d8ab

                    Download Submit

                  • \Program Files\MiniError.exe
                    Filesize

                    273KB

                    MD5

                    0cce532e234e980666db7ac207677b99

                    SHA1

                    877550b13b48343d9fa2023243af998cf6554715

                    SHA256

                    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da

                    SHA512

                    619316062c077c9bbcbb96742364f6fa7445a3027f7a05c75558a96e7d589199a7d4829a24fe90169d4bfccce51967d8f9e3d8c9e87e6a2f923cea4732a2556b

                    Download Submit

                  • \Program Files\MiniError.exe
                    Filesize

                    273KB

                    MD5

                    0cce532e234e980666db7ac207677b99

                    SHA1

                    877550b13b48343d9fa2023243af998cf6554715

                    SHA256

                    ad107df79ff0f32a25ffaae6cb3561ad0becb6607e11dcd2a7c199a7fef153da

                    SHA512

                    619316062c077c9bbcbb96742364f6fa7445a3027f7a05c75558a96e7d589199a7d4829a24fe90169d4bfccce51967d8f9e3d8c9e87e6a2f923cea4732a2556b

                    Download Submit

                  • memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

                    Filesize

                    8KB

                    Download