Overview

overview

8

Static

static

9fd754de93...78.exe

windows7-x64

8

9fd754de93...78.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fd754de933b5340912f3c96f385d1906d869d79ce8f661f93fc658e2bdd1578.exe

  • Size

    49KB

  • MD5

    4a61c1bd26498d8d6d40bde39fd65fa1

  • SHA1

    43e40151601cc0cf6cd2e9a4cf1d34b93cee569b

  • SHA256

    9fd754de933b5340912f3c96f385d1906d869d79ce8f661f93fc658e2bdd1578

  • SHA512

    38b00021b1d0e678810a4f78f4ab68e6ce8001b6dd093395c7291974f4043c608fa264f15d6a3a7d4ded689fc2817a4ab603c2f3c602325653f00507970a5ced

  • SSDEEP

    384:BbVWjDvtK+pTr+P7lf19XZt5hBxkcb1lpl8rC8Ska8de7jyrN+vQdML4N+ngsx3z:iDsS418pDUouKMLGOla

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 9 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fd754de933b5340912f3c96f385d1906d869d79ce8f661f93fc658e2bdd1578.exe
    "C:\Users\Admin\AppData\Local\Temp\9fd754de933b5340912f3c96f385d1906d869d79ce8f661f93fc658e2bdd1578.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:1592
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:960
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x584
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1796

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/916-54-0x000007FEF4A00000-0x000007FEF5423000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/916-55-0x000007FEF3720000-0x000007FEF47B6000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/916-56-0x0000000000B76000-0x0000000000B95000-memory.dmp

      Filesize

      124KB

      Download

    • memory/916-61-0x0000000000B76000-0x0000000000B95000-memory.dmp

      Filesize

      124KB

      Download

    • memory/960-57-0x000007FEFC581000-0x000007FEFC583000-memory.dmp

      Filesize

      8KB

      Download

    • memory/960-60-0x0000000004370000-0x0000000004380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1592-58-0x0000000000000000-mapping.dmp

      Download