959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939

Analysis

max time kernel
41s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
Size

695KB
MD5

3e62838a510a91c9f34d0943dc40eecd
SHA1

a9661689901c92185b1783bd5b31cbbf627adc7f
SHA256

959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939
SHA512

7ab256b5a66c53700a3e576ec5b87f52ba96f94b7951c3d82e0e5226b854b3d1f85903c254b463d642a9044142c01a82fb5ae43a510aba2c17379423d38a38dd
SSDEEP

12288:mi+ETezCHQkZPhprhmH6ukWAljnQlnl2OdpbxZDmRmFaZ:miQsFhBhmAWAdnQxlfj6YaZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.693.cc/"	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1992	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2032	1280	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	27
PID 1280 wrote to memory of 2032	1280	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	27
PID 1280 wrote to memory of 2032	1280	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	27
PID 1280 wrote to memory of 2032	1280	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	27
PID 2032 wrote to memory of 1992	2032	cmd.exe	29
PID 2032 wrote to memory of 1992	2032	cmd.exe	29
PID 2032 wrote to memory of 1992	2032	cmd.exe	29
PID 2032 wrote to memory of 1992	2032	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
"C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads