Overview

overview

8

Static

static

1

d9911e4cfd...a7.exe

windows7-x64

8

d9911e4cfd...a7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 12:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe

  • Size

    183KB

  • MD5

    da7f28a346445f10e95c6cf46c12e875

  • SHA1

    e5f981e70068151efe769173b9ca96909916eefb

  • SHA256

    d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7

  • SHA512

    e50d276689235c2621980cd6845fdca87c2981814fcca61420d60c29aea7d4a44fdc54c2de0a19443070c6e8651a15f4b5f2499ecb285d753a3bbf75ad6de058

  • SSDEEP

    3072:ggXdZt9P6D3XJE45iOPsNzQ6cu5xvByDNqioZItk6C0UYo6wGBKYSA1sNzQ9:ge34+NOPsN0u5nyEi4tx0UYo6wG/sNa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe
    "C:\Users\Admin\AppData\Local\Temp\d9911e4cfd218a3c827bd3235eb6cb8fb87e50d56a53bbab5b67c6a46b2e15a7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe
      "C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe" A100354348
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2640
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4752
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3364
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:603154 /prefetch:2
        2⤵
          PID:3624

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Shop_Matching\Shop_Matching.dll
              Filesize

              104KB

              MD5

              6ee6329d1cc50594cb838e5633373f78

              SHA1

              d106fa3d30016606ee9b228a397eba7dca4a7b82

              SHA256

              d9a047a79822b98d9b8c66242461875e9d0fd926dfdee9583bb421718d57f734

              SHA512

              084497260caaa1f14f4ae6041929a558f62f0860154f9b01b812fc242692f192d3568a6b54b4c0256f43cee37fdf362a5f1a8a42f58152eef3ce0c767d9b12d5

              Download Submit

            • C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe
              Filesize

              200KB

              MD5

              594566ae4e389635b42f8f3daa29392b

              SHA1

              adfa9933797e9fb597482166a5f68c9c4222aa15

              SHA256

              7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

              SHA512

              4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

              Download Submit

            • C:\Program Files (x86)\Shop_Matching\Shop_Matching.exe
              Filesize

              200KB

              MD5

              594566ae4e389635b42f8f3daa29392b

              SHA1

              adfa9933797e9fb597482166a5f68c9c4222aa15

              SHA256

              7e2db4380cb85a361031a2545ec1ca9ee5e79eab997badb163706eba14f270a0

              SHA512

              4a88a0b33ee39ad910ee7daa7fa0964730c054f76e6e43a33e3843482f445bd79c401d80b131c75d841838b71e4b1cc33e1398d85c7af2ea71974f73382d7e80

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nscC039.tmp\KillProcDLL.dll
              Filesize

              32KB

              MD5

              83142eac84475f4ca889c73f10d9c179

              SHA1

              dbe43c0de8ef881466bd74861b2e5b17598b5ce8

              SHA256

              ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

              SHA512

              1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

              Download Submit