Overview

overview

8

Static

static

b8ad3a57d6...84.exe

windows7-x64

8

b8ad3a57d6...84.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    161s
  • max time network
    207s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84.exe

  • Size

    12KB

  • MD5

    3a7bec068bd5ddc12b3266df7ae68d04

  • SHA1

    6f66bf634751ca44f2e1959c89b253266c1bd8f9

  • SHA256

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84

  • SHA512

    21ed9867ac77bebaf4d0888c2641d72babdd6101985ffd38b1928be42ba0d4e7dad39794b096be1da20fe260a3cd6e864c72ece925dc83761087bc432158564e

  • SSDEEP

    192:7RksiESTYWtTIwpuHR0MgvVc/iF/JA73fMORINPk6WvW1EDp2B/0V/9SNs/:isiESTBEwAR0MgtiwJ+PMHPk6WvW1EDt

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84.exe
    "C:\Users\Admin\AppData\Local\Temp\b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.18hi.net/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:464 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1560
    • C:\Windows\system\Run39.exe
      "C:\Windows\system\Run39.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3e95933060e813cc5a6ffcc7f88c6c2d

    SHA1

    7912056bbab6f18c2eb1a7aafde5c65ec4c53f06

    SHA256

    b4bbe0196d159d8b2761c5db7e11de4366aa467d53c847e9c21eb272b6de30b8

    SHA512

    6294c07185094fe15db567b958b691ddb822cdc9ffe1bdce7d6d576303760bddfe5033d4a11aea2873d266e035dfbcf8dd9db7ba1429d5a0a5412e85136cc706

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3cd62850df760f26c8f2f48b25de8844

    SHA1

    f682831195c56cf61a0d70ddb93dd2b18d4e0698

    SHA256

    6dd139a475dba550dc4f5b0ef4915247f4ff0ac57dde25772c40a4bb32db1399

    SHA512

    6c0f4c2ab95542ab6fc16e57fe41f02c3a905b4e8c99ffad5e7a9d51e8fc7dd20c579ece78ada88a1e47c820fb6de1308885fcae9df3f2e37ea7577aebf691e8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e0dc833c9581c7514042c9f95173f830

    SHA1

    38d67eb9beca5a8f4f53303bf1a35afe88e135ff

    SHA256

    36ebee916927736821b5cb3a4daca8ca8ac9a43bd56caad48cb48359186af916

    SHA512

    4119ae610df821db576e1a76743a39e3694015094edc27c6a70aadd732738b323df1f33562e882af6d974d65b2835e553a74a0af135809492a0564bf16140f29

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    e1cb6d050f67fca36e5a6e466b13b96b

    SHA1

    8be93b9d9d5fb6d9b8871008e3e89de9b4413e70

    SHA256

    860386ff81b46cb457269dc2c6f54bbe15a9ce9fb2c85885e17f94b30b0e089f

    SHA512

    02681312e13d8f0c6bc4a026d09b6b427025bbab5a832e6990f5be68d0c5eff6729cffa0c0b7f67128feba36fd2d7a8d4391aa85b355bdf3d1fce17a9abf5bfb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MN9LRCV4.txt
    Filesize

    608B

    MD5

    e12b949757c89eb6ade465ee8ef5b8a7

    SHA1

    507b99197e5410f73cfdc536ef28398f61fb782e

    SHA256

    2b727a5e20d1956acfb6e9b860c0bb49e896d36fdcfe683cdb4ab9e483a07878

    SHA512

    9e7b5869200cd2628b24afa53df17b7af4e8c2752c290f9ca7e50ba4cda94478638ba5661b877fc08c67e881343cd54c022aefa8d4a64a4c9dabc36bda16c7d6

    Download Submit

  • C:\Windows\system\Run39.EXE
    Filesize

    12KB

    MD5

    3a7bec068bd5ddc12b3266df7ae68d04

    SHA1

    6f66bf634751ca44f2e1959c89b253266c1bd8f9

    SHA256

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84

    SHA512

    21ed9867ac77bebaf4d0888c2641d72babdd6101985ffd38b1928be42ba0d4e7dad39794b096be1da20fe260a3cd6e864c72ece925dc83761087bc432158564e

    Download Submit

  • C:\Windows\system\Run39.exe
    Filesize

    12KB

    MD5

    3a7bec068bd5ddc12b3266df7ae68d04

    SHA1

    6f66bf634751ca44f2e1959c89b253266c1bd8f9

    SHA256

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84

    SHA512

    21ed9867ac77bebaf4d0888c2641d72babdd6101985ffd38b1928be42ba0d4e7dad39794b096be1da20fe260a3cd6e864c72ece925dc83761087bc432158564e

    Download Submit

  • \Windows\system\Run39.exe
    Filesize

    12KB

    MD5

    3a7bec068bd5ddc12b3266df7ae68d04

    SHA1

    6f66bf634751ca44f2e1959c89b253266c1bd8f9

    SHA256

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84

    SHA512

    21ed9867ac77bebaf4d0888c2641d72babdd6101985ffd38b1928be42ba0d4e7dad39794b096be1da20fe260a3cd6e864c72ece925dc83761087bc432158564e

    Download Submit

  • \Windows\system\Run39.exe
    Filesize

    12KB

    MD5

    3a7bec068bd5ddc12b3266df7ae68d04

    SHA1

    6f66bf634751ca44f2e1959c89b253266c1bd8f9

    SHA256

    b8ad3a57d61ecb4b19607bc407b89144217d572b7fcb6997bbe4a899fb2a3c84

    SHA512

    21ed9867ac77bebaf4d0888c2641d72babdd6101985ffd38b1928be42ba0d4e7dad39794b096be1da20fe260a3cd6e864c72ece925dc83761087bc432158564e

    Download Submit

  • memory/576-65-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/576-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/576-57-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1128-66-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1128-74-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download