Overview

overview

8

Static

static

b4e56152f8...56.exe

windows7-x64

8

b4e56152f8...56.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe

  • Size

    104KB

  • MD5

    2c46e758200bdae00d795f06f8f0234a

  • SHA1

    c050af649f70f7284c0da7101abbf77e62032a94

  • SHA256

    b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056

  • SHA512

    121a28a34e77f094f0c978cc2085ca9c882e68400f5e63562d850ade62e5eb0d66fa8953562262b08b3226cb3bc5e7cfd94fe4cc2f864dd40f29c621b4f27fa6

  • SSDEEP

    1536:T/eA8BQWrI0Scqy/IVjiZUPyE5nMqmRTCkc9x+HejfAclG25DmQT:rchsXpy/iWZ85nIRekciwfDmQT

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 60 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e56152f8d7bedbc217e9c0401a7abc829d988ae28ff37a32390ac3322c4056.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • \??\c:\Program Files114S2I.exe
      "c:\Program Files114S2I.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1936
    • C:\Windows\SysWOW64\WScript.Exe
      WScript.Exe jies.bak.vbs
      2⤵
      • Deletes itself
      PID:1668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files114S2I.exe
    Filesize

    10KB

    MD5

    409a6e08d8d73dd171baa5a76d73a83d

    SHA1

    f1daa273f03066081d5d0102d306afa82f2b58ad

    SHA256

    a7ef14542196e90cc7bc7e71b74fb1bf3ddf6bae0a3b65f0e0e2fda19668c4e1

    SHA512

    9a5e2d66383c320a26c84cd108c546e9bb5936fe373e036a4c983fb09680fac11f98f811fe2d8f053036bc719037e8057a06fdacabbaec1219faf682b30963e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs
    Filesize

    486B

    MD5

    e54d1c02c487a883fc9825d3fd8f86d1

    SHA1

    403e8640d815494766e4fb71a447a330aa10c54b

    SHA256

    e5f16a7d0aa26df9c87925c43fbfe051f821d6a0a86efa27ba6b25f662579313

    SHA512

    1873b1e510b6ab557e177b5bc29832286af118fe0b0994a1cc3ab3a275cd6dc1ca77f32772d252a9d58e6573e81b9d8da1c0a045d3fc2c3eb7f9412dfdb7e1bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U0KMTIPQ.txt
    Filesize

    601B

    MD5

    78df768f9c0be0da1c710550a370ab8f

    SHA1

    9db52d5866d6acd0de385b780738f3ac25d2fe5d

    SHA256

    d5eab7ed7fb56fdfef2761de7e49da65acdea49c229c7f47bfb584116f6dae48

    SHA512

    992681b66e0f4d37b36e0fc6d32fd2a7710d58f3cf2d671d3c3080167d8e95522185bfd8c24219b4162d624f007faf1025cf40fcd8d86a9e44ed9bceaaf7739c

    Download Submit

  • memory/1164-56-0x0000000075C61000-0x0000000075C63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1164-61-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-62-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-64-0x00000000002A0000-0x00000000002AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1164-68-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1652-63-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1652-65-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download