Overview

overview

7

Static

static

3

11a73e92ab...07.exe

windows7-x64

7

11a73e92ab...07.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11a73e92abda63441b770d350c5b1607.exe

  • Size

    58KB

  • MD5

    11a73e92abda63441b770d350c5b1607

  • SHA1

    e7cf35bac96dabf03894283c73ea96872597f7b1

  • SHA256

    cab4edff3dfee7b58936f9e01a1d06ab944b58bdc9a6442cff6f2625267d3817

  • SHA512

    4d85ddb115a99802c0ca04d6077f59d6810caf466c941af76cd4cd48c0608555f76dc5ff8cc38e3013b1ac197d28c320c014641b0db80999b19bb29c8de38cf7

  • SSDEEP

    1536:dhk+fFlM3uFqYZdQjxBP52N4yJIbYEp3qMtjqMqMjqMqlqMn:dJMaZdo2NjJAYEpG

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\11a73e92abda63441b770d350c5b1607.exe
        "C:\Users\Admin\AppData\Local\Temp\11a73e92abda63441b770d350c5b1607.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start iexplore -embedding
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3728
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 504
          3⤵
          • Program crash
          PID:4212
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fig4093.bat"
          3⤵
            PID:2644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4944 -ip 4944
        1⤵
          PID:1072

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC534.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fig4093.bat
          Filesize

          188B

          MD5

          23cc8fb529d11ad27ba79b2d96b5f84e

          SHA1

          d7717fac1ff3d9ddcfd1702b39bf5cb208162ab4

          SHA256

          f3fb801b4ba297f1c69d447841b1f43d8e9b2611d3dff674a254cef727a4b365

          SHA512

          d9f8e264a1ab1ef1bbe1d3cb20652c230739d2d83b183152199d4f7067b5368f96377edaab722e333dd5c06ed7a9c2c4e1a7e9a348e203731c1f03ba013b37c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fig4093.tmp
          Filesize

          39KB

          MD5

          266b0eb83dde2f8121a7e0b26e3014b7

          SHA1

          e9af9e74322baa87198c10dd5cd2c671cd976742

          SHA256

          85810cf5d4b07c1cc7904843ec7a128653813ad07c936291b9ef7afe0bc6575e

          SHA512

          468401c7ef8e8025bdb1ec025fe0e43e861f6795f72d83e29fa4c9b8795c6b01508daa4410d28f2e32a588e46f71f67492dba9b7ebe707004c0288227788e2a5

          Download Submit

        • memory/3392-8-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

          Filesize

          24KB

          Download