Overview

overview

10

Static

static

c176a2bf24...f4.exe

windows7-x64

10

c176a2bf24...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 01:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c176a2bf24efba11b4552498fa90e5d51dfb1edd4e4110f21ebd9a43efdc13f4.exe

  • Size

    2.4MB

  • MD5

    6903beabee43994a57618da804c23c6e

  • SHA1

    09015a9adbf1b4f1d2ec8eb1626deb982e7944c7

  • SHA256

    c176a2bf24efba11b4552498fa90e5d51dfb1edd4e4110f21ebd9a43efdc13f4

  • SHA512

    fdcc6a38dc9521616df082122e90381d7225cc0d3797b76909e2a6e444099ed3b1c42c99f21640f8fe7bbd2fefd358c9b3134444e6bb4824db29681347a6ed96

  • SSDEEP

    1536:IWYNxXhoNwWEyHxuEYZLdXTDWL20wYEAOvZFXIReDGTBmE:NQfgfFsRdXfWidAORqeDgBL

Score
10/10
evasiontrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bauza123

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c176a2bf24efba11b4552498fa90e5d51dfb1edd4e4110f21ebd9a43efdc13f4.exe
    "C:\Users\Admin\AppData\Local\Temp\c176a2bf24efba11b4552498fa90e5d51dfb1edd4e4110f21ebd9a43efdc13f4.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\system32\REG.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:1020
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.facebook.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:592
    • C:\Windows\system32\REG.exe
      REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:1468
    • C:\Windows\system32\REG.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:472
    • C:\Windows\system32\REG.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:1948

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d5c6545298738e654d5a1a9a49859a4f

          SHA1

          444fbdbc625cccf59bfbcfa5a23f3a32a5693783

          SHA256

          9590019ddcace86ee4b03fd7fdf47aa52647b66e53d4965d5d7af9676a24028a

          SHA512

          b487e9fdd98c35b8180e078f9143d15669c3c5b85728e9181df3b2da3527089c1fa3564a8cdc18c0f36dc0f386953bbc796b26158a484c376590464d7eb5e5e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
          Filesize

          11KB

          MD5

          34778a7927e633d01c2c252850ab0eb8

          SHA1

          825c7343683643b4c7a64b8fba633720e5074ee1

          SHA256

          b878f24563ccde3ef9c33acde38a06cf7369c541a23710f610028f4ef600a6b0

          SHA512

          52e581d2eceeab44576d00bf3b3bdc94b1d0f35cfec1b7b165265bd197dc761d2753ee9b4ab7db5bb514f525f66e8c71963e405ab1961799794a433bb32c61f9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F1YUNM42.txt
          Filesize

          603B

          MD5

          5ce2ce1f2596e14b1196cc6d69a07b8a

          SHA1

          dd11e4e434f3292d5a80a2aa130cb9d15902c68c

          SHA256

          65b376e1418b46cf64b3eb77fda52bac14786420660a6680f5f48fd35faea603

          SHA512

          d7fd5b3d003d0a9f93afc921cb0b55068ae5f7b73c428d639660f5fc041edde1a2012adc1cf1e002f3ab99b4e529cff706fbdaed74f99ea688468efc86184826

          Download Submit

        • memory/1692-54-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1692-55-0x000007FEF2D30000-0x000007FEF3DC6000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1692-56-0x00000000020E6000-0x0000000002105000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1692-58-0x00000000020E6000-0x0000000002105000-memory.dmp

          Filesize

          124KB

          Download