Overview

overview

8

Static

static

e6c81f2872...af.exe

windows7-x64

8

e6c81f2872...af.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 13:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf.exe

  • Size

    123KB

  • MD5

    4ecf9cf3004dc580b9224b0ab15df4c0

  • SHA1

    e1ac1b259d93a7a370f7409be4ffc30e81b6c8ba

  • SHA256

    e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf

  • SHA512

    d13b4cc0bb2e87ea4ab6f95f4cd767fa43d560ceeb03d8242b92b6ff5f7dae1b09a9e024ad99557f7963c0c4e4ad60be5473efb5736e8bc64a66ccc1680f24d5

  • SSDEEP

    3072:8NVRhb9sZu01SAewOpA/yV0GuIkHnuzIpxa/:8N3sZrelAzIkHuzR

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf.exe
    "C:\Users\Admin\AppData\Local\Temp\e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_090131a.dll d16tan
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\mylbs3tecj.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\system\sgcxcxxaspf090131.exe
          "C:\Windows\system\sgcxcxxaspf090131.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4872 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf.exe"
      2⤵
        PID:3848

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            228d25dd7d377af29848012a2b059814

            SHA1

            a29a3c1e167f3581b0aa4be90b1769a89beab01c

            SHA256

            9d4e26398806093c8af5a60e646afb3c2fc110ea0dc93821e29dc48da62280bb

            SHA512

            1d004bb21f7225fe220aae71d7836c0f5b2e58cb855209e2cc7f1a903ae73b67c408f59108b31faf7caed420758f4753b476c927299da5d607304b5d3a45bc61

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            434B

            MD5

            2b814d23288b54902f1972724ec3009d

            SHA1

            0e3bbe0fea82e578d12dbf149a60a796a8e984be

            SHA256

            876fc95c93c1ae0b009aea9aacf45029935903b72469e60500fb1202fda98ce1

            SHA512

            ae582dbb1a68ae889f30d5381b1d8fd051e33ed4f50fdfc1aedad4a513975834cfef58a836f468f8dfdb1131afaf6917c5da1cd2b1f3a84435ab71b16b26909c

            Download Submit

          • C:\Windows\SysWOW64\inf\svchoct.exe
            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

            Download Submit

          • C:\Windows\SysWOW64\inf\svchoct.exe
            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

            Download Submit

          • C:\Windows\System\sgcxcxxaspf090131.exe
            Filesize

            123KB

            MD5

            4ecf9cf3004dc580b9224b0ab15df4c0

            SHA1

            e1ac1b259d93a7a370f7409be4ffc30e81b6c8ba

            SHA256

            e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf

            SHA512

            d13b4cc0bb2e87ea4ab6f95f4cd767fa43d560ceeb03d8242b92b6ff5f7dae1b09a9e024ad99557f7963c0c4e4ad60be5473efb5736e8bc64a66ccc1680f24d5

            Download Submit

          • C:\Windows\dcbdcatys32_090131a.dll
            Filesize

            236KB

            MD5

            7902693a6ec0d9276c209983200c6d7c

            SHA1

            1b8ae5802df3eb1f65c9332d5bf74c080cc48171

            SHA256

            0fb66568070073a3bab56b6ce9bc75c5cd3f22e3a3fd1f667bc7a3d67933247f

            SHA512

            b4ee3dbd1b00e23614d7dc0a5299e825f1362c7a18f148b3505ac8002ebc4b2574b3a5061cb80552d17aafaa4a2e1fa802e2336e6d64d5456c218e61d44267a1

            Download Submit

          • C:\Windows\system\sgcxcxxaspf090131.exe
            Filesize

            123KB

            MD5

            4ecf9cf3004dc580b9224b0ab15df4c0

            SHA1

            e1ac1b259d93a7a370f7409be4ffc30e81b6c8ba

            SHA256

            e6c81f287244a4351151613e4ca3ca1b84d8496d0b3e45e022a3ffd53f53fdaf

            SHA512

            d13b4cc0bb2e87ea4ab6f95f4cd767fa43d560ceeb03d8242b92b6ff5f7dae1b09a9e024ad99557f7963c0c4e4ad60be5473efb5736e8bc64a66ccc1680f24d5

            Download Submit

          • C:\Windows\tawisys.ini
            Filesize

            384B

            MD5

            bc9e01ea830b2f5b08d3d92b6788f5b1

            SHA1

            b098277ff063468496e3d4e20d27b519055d59f4

            SHA256

            bd431510848df6ed76d1e348322cfd3807e2f09236d13b7f8453e5f139c7075e

            SHA512

            428e6a050f2aac2a2d31e4898877b4bb3f1d18458aab254decb5737a1adb25d43b5e09e16d13808cc13fe794c8eebd2ac44a69122182ac849517266bec41ad2b

            Download Submit

          • C:\Windows\tawisys.ini
            Filesize

            495B

            MD5

            1adcae7d72f3b7f4c7d7dedbded3a73e

            SHA1

            6ffe990492f28d1cad2754fc23c434a8241adcaa

            SHA256

            2d9b04dc7ed5a465ca8db7b3dff2700e502911da77a1ac2cb08e1fc4e039e039

            SHA512

            df83e2d2f55d4b0b1e527b243275e682e7ad22d9e822233f0bf6179c7f91f805f74773a038c7ac573ce5c32c4e95368a1f5a60b7197691f4ba644f1a223f1afa

            Download Submit

          • C:\Windows\wftadfi16_090131a.dll
            Filesize

            36KB

            MD5

            5061679e208b3d5724726a77ebcea8dd

            SHA1

            ea44196b87d1dd080a5d42701ba73c9100f4f2a4

            SHA256

            5a465097a8601b6c7d9e39b4f6ba115e8ca0436fb4a29266fde3df2a7bfbba40

            SHA512

            3e73b35e71709bd09d6d77f7050fca6e749cd9e6182d10dbebc135f83ee7b86d11a54b98933e2bee3c4e6dc1c2060c6072d0c24e69041232fe337192b1b57fb5

            Download Submit

          • C:\Windows\wftadfi16_090131a.dll
            Filesize

            36KB

            MD5

            5061679e208b3d5724726a77ebcea8dd

            SHA1

            ea44196b87d1dd080a5d42701ba73c9100f4f2a4

            SHA256

            5a465097a8601b6c7d9e39b4f6ba115e8ca0436fb4a29266fde3df2a7bfbba40

            SHA512

            3e73b35e71709bd09d6d77f7050fca6e749cd9e6182d10dbebc135f83ee7b86d11a54b98933e2bee3c4e6dc1c2060c6072d0c24e69041232fe337192b1b57fb5

            Download Submit

          • \??\c:\mylbs3tecj.bat
            Filesize

            53B

            MD5

            563d19af4939e7ab410c15b28ab5ce18

            SHA1

            5bcd275e09633428aae3991e5e27a4f97aee9c24

            SHA256

            accaf8ae8eda60214a17f5e73f83c96303c9fc0574d37e7759fa5e0005949356

            SHA512

            7430b67f8fc15b421d1ae3854ad5b55be46943d9133d63fded788af8a1604752aa6c456649111c01f56f54d2098013854089191be08622b8939a8eeeb8878c66

            Download Submit

          • memory/764-146-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/764-147-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/764-149-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/2128-132-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/2128-139-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download