Overview

overview

8

Static

static

file.exe

windows7-x64

8

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    73s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2022, 23:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    bac43db85fb7279c44edb5dee47dcfeb

  • SHA1

    426f48491e5e7146ce0e43397c7cc3513a1706e7

  • SHA256

    cafbf35c0d9cf556d2c92086e0145ed092959eb725d6a8134adb9df835ad4a9d

  • SHA512

    c6043fdd816e1922ef0315f0c0d4265f6d381b77061de607506623e3383464b639cb75fe00eb43fe7b3c7f1250bbaa159ece929f8cdf17c1e4974cd9fa54fb87

  • SSDEEP

    24576:M4nXubIQGyxbPV0db268K3q6faXeoubtQo+8YzqNAh3XBQ0FPcQsY8Nl85Xab6s9:Mqe3f6lq6yXeout9+QAPcTYy2Wn

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\is-NCAIN.tmp\file.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NCAIN.tmp\file.tmp" /SL5="$60122,1078593,780800,C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe" /SILENT
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Users\Admin\AppData\Local\Temp\is-BM4LQ.tmp\file.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-BM4LQ.tmp\file.tmp" /SL5="$70122,1078593,780800,C:\Users\Admin\AppData\Local\Temp\file.exe" /SILENT
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\system32\taskkill.exe
            "taskkill" /F /IM msedge.exe /T
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:984
          • C:\Windows\system32\taskkill.exe
            "taskkill" /F /IM chrome.exe /T
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:816
          • C:\Windows\system32\taskkill.exe
            "taskkill" /F /IM brave.exe /T
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:996
          • C:\Windows\system32\taskkill.exe
            "taskkill" /F /IM opera.exe /T
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\system32\taskkill.exe
            "taskkill" /F /IM vivaldi.exe /T
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1756
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-PNSMA.tmp\install.bat" install"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:860
            • C:\Windows\system32\reg.exe
              REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Users\Admin\AppData\Local\WindowsApp\ext.dll" /f
              6⤵
                PID:1004
              • C:\Windows\system32\reg.exe
                REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f
                6⤵
                  PID:1164
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" https://smashbrowser.com/welcome2.php
                5⤵
                • Loads dropped DLL
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1780
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1172

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              61KB

              MD5

              fc4666cbca561e864e7fdf883a9e6661

              SHA1

              2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

              SHA256

              10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

              SHA512

              c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
              Filesize

              1KB

              MD5

              a266bb7dcc38a562631361bbf61dd11b

              SHA1

              3b1efd3a66ea28b16697394703a72ca340a05bd5

              SHA256

              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

              SHA512

              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              727ea235d591de048b53d97753a2c07e

              SHA1

              4c60e2dc616e003b708b81995d12499ca94c573a

              SHA256

              fa7023af0b29b9a6f99d0ff64dfb9f4ef26b9e0da4ca33296eab8b2b1f0280d7

              SHA512

              12806ce706f630ecf6f47e90fc55842fc0df29b5455eb1636ee09641b16c0f1983dc5679733f4193490cba8ac042b98e972d2f018f11fb8fc584d14a17c8ba55

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
              Filesize

              242B

              MD5

              ded76c863caf58b566e8088047e759a7

              SHA1

              44690d337e3d099456be049e0be443359751d020

              SHA256

              c9c501448f278dd44d1f9e54a9b4f703746c1ac483fd4aae82560278f4d2c5d1

              SHA512

              62ccf8f5df7a1097645a2c0d50385025d70a673b1b083783b5dc5b024c858d34dcc58c4b54b4794137d22dc1766e08f1affb322f9f0d8da168071da9fe4a463e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-BM4LQ.tmp\file.tmp
              Filesize

              2.9MB

              MD5

              4193a1ba05847842590be08bec38cc72

              SHA1

              6a294d185949a7f8655805484fe6f6b522a8077a

              SHA256

              2aded9b00081dd6bcb376f99af5d5462a70c567682c425e5ca9734506058c686

              SHA512

              53acb9b81a9cb0c8b3cd1e0e44f602378c1faa6e1356c4cbcd3a5c625e5e18af892bb9181e1cb3423b7548b542d23a523484483bab25c872a94372e6493f0465

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-NCAIN.tmp\file.tmp
              Filesize

              2.9MB

              MD5

              4193a1ba05847842590be08bec38cc72

              SHA1

              6a294d185949a7f8655805484fe6f6b522a8077a

              SHA256

              2aded9b00081dd6bcb376f99af5d5462a70c567682c425e5ca9734506058c686

              SHA512

              53acb9b81a9cb0c8b3cd1e0e44f602378c1faa6e1356c4cbcd3a5c625e5e18af892bb9181e1cb3423b7548b542d23a523484483bab25c872a94372e6493f0465

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-PNSMA.tmp\install.bat
              Filesize

              335B

              MD5

              bfffeea4a5bc13062b6c4108cc8e90e0

              SHA1

              d6582a2e4d1e1f79bc40c3432343ae63f12886cb

              SHA256

              6ab2311de65c8ec6fa42c01b9cbe8443b16304076e51b005b87aea95e50b5be2

              SHA512

              9e6db3da7f20baf83c43e1ba9e0bb259aaaf157ad6d126376af69433bab9c88b1fbac7818e72465fb9984b16de5ce071c03e40918fd48816e6384d1255ed78de

              Download Submit

            • C:\Users\Admin\AppData\Local\WindowsApp\ext.dll
              Filesize

              604KB

              MD5

              f47a4502345fb39e35b4b7d7fb1c8e55

              SHA1

              efe7798ad5c8d77f36cacdc1a65c22ca8792b09f

              SHA256

              e788ffef53cedbcc81fa19933a0940a5d5110a8f2abff32d0fd6050f113be4d9

              SHA512

              cbd76e7537e6e31ac890121c73338774e4eddeaefb5ee3ca6c7285288f5da00abc4e8e9b1949e1e6f2f633bcaaef4be918e2b84a6a0a046796ce9cbe94b72d72

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EH2S5XEA.txt
              Filesize

              606B

              MD5

              bc26c39bff59e6489e52a1569efc273e

              SHA1

              aa0098e995fcc6fe607d1899135943f17517fbf4

              SHA256

              0581af5e2c35d9c167257cc4caaf804a8347c32cd113f7a1994cdf6c6058096a

              SHA512

              9deac61cb4bac590832fed1d65b2bc41b64afd481703a1e6fb7d462dee99bc34b564ecd538d3444df7d12e3d97b31f1e91b8816c89b65b794ef0d07980b2a2bf

              Download Submit

            • \Users\Admin\AppData\Local\Temp\is-BM4LQ.tmp\file.tmp
              Filesize

              2.9MB

              MD5

              4193a1ba05847842590be08bec38cc72

              SHA1

              6a294d185949a7f8655805484fe6f6b522a8077a

              SHA256

              2aded9b00081dd6bcb376f99af5d5462a70c567682c425e5ca9734506058c686

              SHA512

              53acb9b81a9cb0c8b3cd1e0e44f602378c1faa6e1356c4cbcd3a5c625e5e18af892bb9181e1cb3423b7548b542d23a523484483bab25c872a94372e6493f0465

              Download Submit

            • \Users\Admin\AppData\Local\Temp\is-NCAIN.tmp\file.tmp
              Filesize

              2.9MB

              MD5

              4193a1ba05847842590be08bec38cc72

              SHA1

              6a294d185949a7f8655805484fe6f6b522a8077a

              SHA256

              2aded9b00081dd6bcb376f99af5d5462a70c567682c425e5ca9734506058c686

              SHA512

              53acb9b81a9cb0c8b3cd1e0e44f602378c1faa6e1356c4cbcd3a5c625e5e18af892bb9181e1cb3423b7548b542d23a523484483bab25c872a94372e6493f0465

              Download Submit

            • \Users\Admin\AppData\Local\WindowsApp\ext.dll
              Filesize

              604KB

              MD5

              f47a4502345fb39e35b4b7d7fb1c8e55

              SHA1

              efe7798ad5c8d77f36cacdc1a65c22ca8792b09f

              SHA256

              e788ffef53cedbcc81fa19933a0940a5d5110a8f2abff32d0fd6050f113be4d9

              SHA512

              cbd76e7537e6e31ac890121c73338774e4eddeaefb5ee3ca6c7285288f5da00abc4e8e9b1949e1e6f2f633bcaaef4be918e2b84a6a0a046796ce9cbe94b72d72

              Download Submit

            • \Users\Admin\AppData\Local\WindowsApp\ext.dll
              Filesize

              604KB

              MD5

              f47a4502345fb39e35b4b7d7fb1c8e55

              SHA1

              efe7798ad5c8d77f36cacdc1a65c22ca8792b09f

              SHA256

              e788ffef53cedbcc81fa19933a0940a5d5110a8f2abff32d0fd6050f113be4d9

              SHA512

              cbd76e7537e6e31ac890121c73338774e4eddeaefb5ee3ca6c7285288f5da00abc4e8e9b1949e1e6f2f633bcaaef4be918e2b84a6a0a046796ce9cbe94b72d72

              Download Submit

            • \Users\Admin\AppData\Local\WindowsApp\ext.dll
              Filesize

              604KB

              MD5

              f47a4502345fb39e35b4b7d7fb1c8e55

              SHA1

              efe7798ad5c8d77f36cacdc1a65c22ca8792b09f

              SHA256

              e788ffef53cedbcc81fa19933a0940a5d5110a8f2abff32d0fd6050f113be4d9

              SHA512

              cbd76e7537e6e31ac890121c73338774e4eddeaefb5ee3ca6c7285288f5da00abc4e8e9b1949e1e6f2f633bcaaef4be918e2b84a6a0a046796ce9cbe94b72d72

              Download Submit

            • memory/332-77-0x00000000741F1000-0x00000000741F3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1132-66-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1132-61-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1132-55-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1384-84-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1384-67-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download

            • memory/1384-64-0x0000000000400000-0x00000000004CC000-memory.dmp

              Filesize

              816KB

              Download