Overview

overview

8

Static

static

933fd28c01...07.exe

windows7-x64

8

933fd28c01...07.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe

  • Size

    50KB

  • MD5

    0b673c2ed0b4add50f7c19ab2e369912

  • SHA1

    797ba8f7d91d9482e978c74a259945626ab9941e

  • SHA256

    933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307

  • SHA512

    90562bc7854c55a0426b3fb4bfc63032c0b5e05f6567fc8be335758bbf7c4a35fd5b4515cbb47e5edcac0bbd051eb60a0b47bf95781215c0593aef0e0b1ab966

  • SSDEEP

    768:0unq3sohibJC6qmmAbDChbSz5DR2T6lez6rrSYMWVZVwHKqCPvaV:pRbJmmmAKFX2dVZVwHKqSvaV

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe
    "C:\Users\Admin\AppData\Local\Temp\933fd28c019fe0a70524891bffb0840e48089e81dafbf8525aa8337e90160307.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\inlE283.tmp
        C:\Users\Admin\AppData\Local\Temp\inlE283.tmp dml-oadmp.tmp
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlE283.tmp > nul
          4⤵
            PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
          3⤵
          • Drops file in Windows directory
          PID:672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\expand.exe
          expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
          3⤵
          • Drops file in Windows directory
          PID:1772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\933FD2~1.EXE > nul
        2⤵
        • Deletes itself
        PID:524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dml-oadmp.tmp
      Filesize

      795B

      MD5

      c12ec84b236018f7076bb56f79c66832

      SHA1

      02ad25b4ea28916203ac3cd1a4fc48c39b5f3dc2

      SHA256

      1114da7ea9e9e7fe93b3feaff40cabee22c7e9b81ecfd0e40f05d9ebeee7ca3d

      SHA512

      7255f00f14c337b67611304972ffa88a5882136f7c0d5405aa7814187b733acabd4460e4f9c23b86fdb68213b69d9591c13d1fb3be719dafde55da167e33b1aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inlE283.tmp
      Filesize

      122.8MB

      MD5

      8a1820c2c3025865837c4f0c25ea8eb0

      SHA1

      2703c4f99ee9a2abe74639c99a9e149e5b562bca

      SHA256

      bd537739cfbdabe7ca9195af32c7b45ebd7de814a85cd958533d25761c9851f8

      SHA512

      aec5c1d1c60a66e6481b848e1654462238b656cf7cb2ed5baaa672dcc963cd1eba3567d05b9a12971c21cab575b2aa362f96b0122ce2b2030f4b506ab1c58df9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inlE283.tmp
      Filesize

      122.8MB

      MD5

      8a1820c2c3025865837c4f0c25ea8eb0

      SHA1

      2703c4f99ee9a2abe74639c99a9e149e5b562bca

      SHA256

      bd537739cfbdabe7ca9195af32c7b45ebd7de814a85cd958533d25761c9851f8

      SHA512

      aec5c1d1c60a66e6481b848e1654462238b656cf7cb2ed5baaa672dcc963cd1eba3567d05b9a12971c21cab575b2aa362f96b0122ce2b2030f4b506ab1c58df9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
      Filesize

      59B

      MD5

      65ab0a24d257d8ff7f4051f02710b739

      SHA1

      791f45b00bfd19bde557e2f7e3e7937d834811c8

      SHA256

      14636e68abc89ab05fe9baa4e194196b2dd9bd33c5f12eacc760987eba88a999

      SHA512

      9c8a0158006c855a9e8bc7059070ef9cbd827bf1cbe51cd024c6e79221551d8f36a4ba9ede4117f182701b314d89a3e798e0484954ebcb9190a3b6c249bc38bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat
      Filesize

      94B

      MD5

      d5fc3a9ec15a6302543438928c29e284

      SHA1

      fd4199e543f683a8830a88f8ac0d0f001952b506

      SHA256

      b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

      SHA512

      4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
      Filesize

      98B

      MD5

      8663de6fce9208b795dc913d1a6a3f5b

      SHA1

      882193f208cf012eaf22eeaa4fef3b67e7c67c15

      SHA256

      2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

      SHA512

      9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DP3DCHI0.txt
      Filesize

      608B

      MD5

      093ab2006e15e71e44502bdcf736a53e

      SHA1

      020c6901eaa2ba5f6d33c64bb98337947a5d5ee3

      SHA256

      191a768fa0ab74fd51ef22f172a29011efbac582662db4cc635b991168d08ae5

      SHA512

      ee159b97bacd547638e5d6925902f7c2000041ee73717b42c437d710e35bb95d1ecb03985dad2538f57025c57af354228960c062ee29c5e7a2776c89a5f7423c

      Download Submit

    • C:\Windows\Logs\DPX\setupact.log
      Filesize

      6KB

      MD5

      6b3d092e3bc36ed7af7cde733901631a

      SHA1

      da1a5eca838992a7691cc4b4684e0d9e107e4149

      SHA256

      042500e1a0e10b713da8fdaf9e56a1e64ded4f159f515cf4604392f99eb82b9b

      SHA512

      59ab17625bac8889991864efdb4a20b79b2bda09be8745f636397149bc64a1ae34724cb6c7e65f86baa24321fc9027e3bafca4846168372374d060392631d90d

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\desktop_url.cab
      Filesize

      524B

      MD5

      62a2126d86b4aa489e696d593a3579d7

      SHA1

      1925bad55c4ab7d6b7e7f3118f31c2ebac9ded5a

      SHA256

      d62cef36cbd98e7a37d716ffda5ca0da77144625a5c43b1322e980020884fbf5

      SHA512

      a53e4e8b74dae3e6ab367cba50ed4cac925727a40c8962277ecea5604d9ae76cd1e42c78c04235bd80e82755de3f374f89c6885eec60620881c246379ff067f6

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
      Filesize

      425B

      MD5

      da68bc3b7c3525670a04366bc55629f5

      SHA1

      15fda47ecfead7db8f7aee6ca7570138ba7f1b71

      SHA256

      73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

      SHA512

      6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\inlE283.tmp
      Filesize

      122.8MB

      MD5

      8a1820c2c3025865837c4f0c25ea8eb0

      SHA1

      2703c4f99ee9a2abe74639c99a9e149e5b562bca

      SHA256

      bd537739cfbdabe7ca9195af32c7b45ebd7de814a85cd958533d25761c9851f8

      SHA512

      aec5c1d1c60a66e6481b848e1654462238b656cf7cb2ed5baaa672dcc963cd1eba3567d05b9a12971c21cab575b2aa362f96b0122ce2b2030f4b506ab1c58df9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\inlE283.tmp
      Filesize

      122.8MB

      MD5

      8a1820c2c3025865837c4f0c25ea8eb0

      SHA1

      2703c4f99ee9a2abe74639c99a9e149e5b562bca

      SHA256

      bd537739cfbdabe7ca9195af32c7b45ebd7de814a85cd958533d25761c9851f8

      SHA512

      aec5c1d1c60a66e6481b848e1654462238b656cf7cb2ed5baaa672dcc963cd1eba3567d05b9a12971c21cab575b2aa362f96b0122ce2b2030f4b506ab1c58df9

      Download Submit

    • memory/972-75-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1636-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-71-0x00000000000C0000-0x00000000000C7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1744-73-0x00000000000C0000-0x00000000000C7000-memory.dmp

      Filesize

      28KB

      Download