Overview

overview

3

Static

static

Cancelatio...4.html

windows7-x64

3

Cancelatio...4.html

windows10-2004-x64

1

Resubmissions

14-12-2022 15:53

221214-tb5x5aad59 10

14-12-2022 15:51

221214-takkssad55 1

14-12-2022 15:47

221214-s8qc9sad47 1

14-12-2022 15:43

221214-s5989sdc2s 3

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2022 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cancelation 2805431 Dec 14.html

  • Size

    333KB

  • MD5

    b63e330eb0f58fdbd12c38247e99dd38

  • SHA1

    6ea53029c40acb462b6b58f185025041b15e5406

  • SHA256

    0b391821f77915a6e73a9b8caf414cb7e0ddad66e87cade38d20e44d5ca5fe6b

  • SHA512

    d7cc2ff091b4ffd03243c7fdbc18caa42a63ae1af951bd24811b98fe699481fbe58539b97a114683f22c6d4159b069bb3722073858b73b262fffa2892831b6eb

  • SSDEEP

    6144:bJCHs8Ctu7ggxoXujqn1tyR0iv7eTrvuKUiq64JQrUWbq/4KJ:bJh1tYxhjqn1tyR3AzFUO4mu

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Cancelation 2805431 Dec 14.html"
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GTUA22LQ\Cancelation 2805431 Dec 14
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1984
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x49c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    5c5dd28548133fe23c3a16fb0dd418f5

    SHA1

    3646074765f234c1787c1534b688711620c102af

    SHA256

    eaedf8a95f68e6dd2c460e07c3191eca42610ffb416ef3a9e6e1cf657789416c

    SHA512

    eadec3a4112b0ce6943194b52eaa53beb6d0d91e1aa40ffbe30530b9b4ac3ee260f4dd59c2c9ca326b5c2ce52e024fdea9bdfaae9b640b34abb7aee281fc243c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GTUA22LQ\Cancelation 2805431 Dec 14.5hgh2g1.partial
    Filesize

    241KB

    MD5

    f27a9cc9679f21a1e1d6432ee6e2a18b

    SHA1

    b18e2ccc877075a4f570e09035e738975f2f0bc4

    SHA256

    3bd9565b4913e7f39cefe1024d0e400c3fc29b0e4712789bf30b94c2b2fc20ce

    SHA512

    cc8c4456c722bb033ce32aced145f6833730370487c9efd42d4e4d49d95a905980aefdb5fe59ba5254b15509b7433710d9c539bbe85aebf5bcd3a76ad84f33a0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\41H0NG2H.txt
    Filesize

    608B

    MD5

    1dafb70a35e984ff6a43da2c43a3a8cd

    SHA1

    a920bac8b34230ff8120667a03410c811143d2de

    SHA256

    0c4dc3f8968f23438d3e92c62a04dd377f1e5cf224a7347a6527892f20c61c23

    SHA512

    20cf32d3fc4dcffa079df130a82f3346d0836e55e5aaec08aedd4c02f5064f487856204d37621ef47209ee09582e49404082b4d832339db5c7b55cfb0868a7ee

    Download Submit
  • C:\Users\Admin\Downloads\Cancelation 2805431 Dec 14.9novs8j.partial
    Filesize

    241KB

    MD5

    f27a9cc9679f21a1e1d6432ee6e2a18b

    SHA1

    b18e2ccc877075a4f570e09035e738975f2f0bc4

    SHA256

    3bd9565b4913e7f39cefe1024d0e400c3fc29b0e4712789bf30b94c2b2fc20ce

    SHA512

    cc8c4456c722bb033ce32aced145f6833730370487c9efd42d4e4d49d95a905980aefdb5fe59ba5254b15509b7433710d9c539bbe85aebf5bcd3a76ad84f33a0

    Download Submit
  • memory/1984-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-56-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp
    Filesize

    8KB

    Download